General discussion


admin rights for executives?

By Hiro_Protagonist ·
I've got a wanabe who just hired on as a Senior Vice President. This guy used to work for the company like 2 years ago but got laid off. Now he's back and we've upgraded to 2000 from 98 and he insists on having admin rights to his W2K laptop because he needs to "control his own destiny on the computer" pfft...
My boss and I are sticking to the guns that got our support to user ratio up to 1/150. Has anyone run into this problem? Do you give admin rights to your executives if they ask for it?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by mikeapostol In reply to Give Examples

I think there are many other ways of giving a user what they need without giving them a Local or Domain Administrator account. I don't have time right now to go into them, but Group Policy, OU's, Security Templates, etc are what I would use to address a business need. If there was a strong business argument for a specific user to have elevated rights/permissions/etc, I would try to deal with it by using a Security Group. I would never, ever, give a "User" Local or Domain Administrative rights unless they were an Administrator themselves with formal training and experience as well as need for Delegation. I have wasted too much time as a direct result of this to really ever consider it an effective approach.

Collapse -

I understand what you're saying.

by Oz_Media In reply to Addendum

But if the boss wants to screw up the network, who are you to say he can't? YOu work for HIM and HE pays you to do exactly what e asks of you, bottom line, no if's and or buts about it, it is NOT your place to say no.

If the boss asks for YOUR personal password and login name, you are obligated to give it to him. He who writes the checks, calls the shots, not his employees.

Collapse -

A higher Calling

by jharris In reply to I understand what you're ...

Oz...the horse of a different color comes to mind.

Our top priority is to protect the data. The data pays our checks. Executives comes and they go. The data and their equipment comes back to us. We are the gatekeepers. IT policy, particular security polices are in place to protect the data, thus, securing Payroll, Gods of the check printers.


Collapse -

Fair enough

by Oz_Media In reply to A higher Calling

Personally I would let the Senior Vice President screw it up all he liked. If he wanted to take a baseballbat to the server I may suggest otherwise, when it all comes down to it, you are protecting his equipment and his company not yours. If he's REALLY that much of an idiot, he'll screw up and ultimately create more work for you, but how can you not justify time spent repairing at that point?

I just don't see what the big deal is really, it's not like the shipping clerk is asking for access.

Collapse -

Corporate culture

by JamesRL In reply to Fair enough

Personally the answer to me lies in the corporate culture. Some places allow more latitude, some don't.

At the Fortune 100 I worked at, I was asked by a VP to take off a piece of security software off the user's Macintosh. The software encrypted the Mac equivalent of the FAT and required a password, and of course timed out.

But because there was a corporate policy sponsored by the CIO and signed by the president, my duty was clear. I refused. But I did it politely and suggested that it wasn't an issue for me to decide. If the CIO was willing to grant an exception, I committed to removing the software as soon as I could. The VP was confident he would get the exception, and I gave him my extention.

Of course, I knew how the CIO would react. When I aksed him about it a few weeks later, it was clear the VP reconsidered, and never asked for an exception to be made.

In dealing with these kinds of issues, its often a matter of your duty to the company as a whole, not just to one individual. Unless its the owner who is making the request, not just a VP.


Collapse -

Doing the RIGHT thing or the SMART thing

by haveutriedrebooting In reply to admin rights for executiv ...

Dealing with Executives can be very touchy.
I support the executive staff at my company and know first hand. I feel for your situation. As I.T. Professionals we all know what the right thing is. I have worked at places where I.T. has teeth and things seem to go much smoother.
I think the smart action in this case is as others have suggested: send the request for Admin rights up the chain of command. After all, you don't get to pick and choose who gets them and it takes you out of the line of fire. Unfortunately the top I.T. person in my Org reports to the CFO and there have been many escalations that have not gone the proper way.
It sounds like your Company is the same- so be prepared to carry out whatever is decided (and preferrably get it in an email in case people "forget" who authorized it). I would also suggest a good recovery plan. I try to treat the critial machines as if they were servers (spare hardware, automated backups, etc..) I ghost most of the critical executive machines every other week as access permits and this has saved time/money for all involved. As the front person representing I.T. to our executive staff I feel providing the best level of service as well as being honest about your work will earn you respect and trust. There will always be the primadonna's and Egomaniac's but overall I have worked with some top notch professionals. You will always lose in a battle with your bosses, bosses, bosses, boss- even if you are right!
Just my 2cents worth.

Collapse -

Simple Solution

by druidpromo In reply to Doing the RIGHT thing or ...

It's a losing battle but you have to protect yourself, give him the rights, document it and get it signed off by your superior when the crap hits the fan on the laptop sort the problem out and trust me after a few times every exec gets fed up with the "power" of being an admin..that's my experience, play the up the restore procedure after he messes it up the first time, talk about the "complications" even though you will get it fixed, you'll see he'll think twice about messing with administrator privelidges, it's just a power thing for them they really don't mess with it after a while....but in retrospect being a consultant myself there are times execs need that privelidge when they are off sit to install an app or connect to a let them play with it but like all kids the toy gets thrown to the side eventually...

Collapse -

Pls try this

by Amitdkulkarni In reply to admin rights for executiv ...

if u r using Domain policies, then Pls go to ur Administrative tools, Active Directory Users & Computers. In this section got to user section. U will find a user entry as Default OU policy deny.
Add the computer's entry into the Member section.
Then go to Worstation section & select the computer name u entered in the previous stage.
Here right click on the name & go to manage.
In the manage option, add the user to the administrators group. restart the pc & ur problem is been solved.

Generally we don't give these rights to the users using pcs,but in case of laptop users, yes sometimes we have to be flexible.But the user's admin rights r limited to his pc only. So there is no problem in going for the option. After all it's ur decision in the end.

Collapse -

Talk to the big cheese and explain why.

by In reply to admin rights for executiv ...

I have found over the years that if you sit down and build a case on why they shouldn't have access and then talk to the VP who says they need it and explain why. If this doesn't resolve the problem explain that this is a company policy that if changed for one person could cause harm. If that doesn't work go over his head.

Collapse -

Segment the rights!!

by samh_ In reply to admin rights for executiv ...

Laptop users often need the ability to configure communication devices (modem,network,firewall,...) when travelling.

Giving them admin right is dangerous because they are more likely to be attacked while not in their secured office.

I would create them a local administrator on the PC that will allow them to do any change (they could even 'run-as').
As this admin is local to the PC, it won't have access to the network, reducing incidence.

This is not the ideal solution, but I find it better than giving local admin right on a domain user.

Related Discussions

Related Forums