General discussion

  • Creator
    Topic
  • #2294083

    admin rights for executives?

    Locked

    by hiro_protagonist ·

    I’ve got a wanabe who just hired on as a Senior Vice President. This guy used to work for the company like 2 years ago but got laid off. Now he’s back and we’ve upgraded to 2000 from 98 and he insists on having admin rights to his W2K laptop because he needs to “control his own destiny on the computer” pfft…
    My boss and I are sticking to the guns that got our support to user ratio up to 1/150. Has anyone run into this problem? Do you give admin rights to your executives if they ask for it?

All Comments

  • Author
    Replies
    • #2692240

      Maybe exec support

      by gralfus ·

      In reply to admin rights for executives?

      The way we handled execs was to provide them with their own polished support team. Most execs don’t know their modem from a hole in the ground, so they appreciate having a well-dressed individual come and rescue them.

      For those that have enough knowledge to make them dangerous, the same team can explain to them why the rules are there, etc. But you must have backing from on high or the execs will make life difficult. Most can at least understand that if they screw up their work PC, their work will suffer. Show them the danger versus benefit. Insist that if they want customization, that it should be done by them on their home PC (that is not attached to your network) or that you can provide installation of certain programs once they have been determined not to conflict with company work programs. It will come down to a power play – beware of the walls that will result as you can find yourself unemployed before you know it.

      Lastly, image his PC in a working mode so that it can be restored quickly after he screws it up, because he will screw it up. And for kicks keep track of how many times this takes place and the cost involved.

      • #2692231

        thats good advice

        by hiro_protagonist ·

        In reply to Maybe exec support

        Thanks gralfus, Those are all very good points.

        It will be interesting to see how this plays out. He claims that it will require more support because he won’t be able to admin his own PC and will have to call me every time he needs something changed. Although, when I asked him for specifics he couldn’t name anything besides installing his WiFi card for his home netowrk, which I agreed to install for him.

        This may be a self-fulfilling prophecy. If he doesn’t have the admin rights, he’ll be more apt to want to install things and change settings and will make sure he is a giant pain in my butt so he can prove his point.

        Personally I think he just doesn’t like following rules set down by someone so much younger and lower on the food chain than him. This guy has a huge ego and would probably have a hard working tech like me canned just to get his way…

        • #2731734

          Installed a personal WIFI for him? Where’s the policy on that?

          by afoshee ·

          In reply to thats good advice

          We have similar problems at our company with managers at all levels wanting admin rights, and we just document all the problems that causes and eventually senior management gets tired of the cost and hassle involved and we get permission to lock down virtually every exception.

          You’ve got to remember three things in corporate life…
          1) For every rule you need to be ready for an exception.
          2) Get everything in writing.
          3) Without senior management approval you’ve got squat.

          Our business isn’t one prone to hackers nor security issues, but we are constantly vigilent to prevent problems. And WIFI networks are huge gaping holes of access for anyone with three brain cells and no morals to gain access to a network. We require all employees to disable or remove their WIFI cards while they’re in the office, and we don’t support any problems that are created with them (i.e. software conflicts, etc.).

          I hope you didn’t “step in it” by installing a personal piece of hardware in a corporate laptop – that would be a real big “NO-NO” where I am.

          Good luck!

        • #2731660

          Very true

          by jason.hughes ·

          In reply to Installed a personal WIFI for him? Where’s the policy on that?

          I think this makes sense, and it’s what we do at my institution as well. With such a diverse group (executives, physicians, researchers, administrators, facilities, etc.) we have just about every type of client you can think of. We get administrative access release forms signed for anyone that wants access, no matter their executive level. Any damage they do (installed programs, added network cards, configuration changes, etc.) are fixed at a billable rate, rather than our usual inclusive break/fix service. Also, we require the altiris management client and norton antivirus in addition to a Win2k/XP domain login for network connection; this is a non-negotiable policy due to viruses and the need to update windows to patch vulnerabilities. Executive advocacy is a must-have, not only from the CIO, but from the rest of the senior management. As long as the CIO has the support of senior management, his/her policies will stick much better, and clients will soon realize that they must bear some responsibility. I like the idea of a dedicated team for “gold” support levels, although in this economy it’s not often possible to do so. We have instituted “express service” for some activities that require payment, or a higher than usual payment, for services rendered outside our supported standards or for services to be rendered ahead of our standard SLA.

          As for the manager that was lamenting his 150:1 machine/tech ratio…I’m up to about 500:1, so you’ve got a long way to go!!

          -J

        • #2731645

          Policy versus Procedures

          by berniedixon ·

          In reply to thats good advice

          First, policy is not signed by me the security officer as I’m not the owner (CE0, board of directors, etc.). The owner is the only one who can sign formal statement of rules that everyone in the company must follow. I write the procedures that implement both physical and logical controls based on policy and risk, which are both signed by the owner.

          Second, this owner signed policy applies to everybody in the company, including executive VPs. Selectively applying policy is known as discrimination in a court room setting and can lead to wrongful termination law suits. Not applying policy at all is called implied consent in that same court room. Which problem does the owner want to potentially occur?

          Third, what this all means is that the owner has to 100% support the policies he or she signed off on. If you are the one who signed policy (not procedures), then you have no hammer to apply to anyone in the company who violates that policy. If the owner doesn’t really support policy, then you have no real hammer either, but the company could have some interesting days ahead in the business arena.

          Lastly, if this exec has a business case for needing admin privileges, then let him present it. If approved by the owner, then give him security and admin training. Have him sign off that he is aware of his responsibilities as pertaining to company policies and procedures. Now he’s responsible for any screw ups. See how he likes that 🙂

        • #2731619

          Dont do it

          by mdodd ·

          In reply to thats good advice

          We had our VP of taxes try the same thing with his pc and his sonic wall at home. He kept messing up his system so much that I changed the passwords and he has to go through us for any changes to his pc/security system. The lesson learned by all was to stick to the policies because they were established for a good reason. Would he want you messing around in his office and change how he does things?

        • #2736841

          Control Issues

          by dennis.doerr ·

          In reply to Dont do it

          What I am hearing is a lot of control issues. What you have to remember is that IT is a necessary service center for a company, the key word being service. When you have a request that falls either outside policy or somewhere on the edge, your job is to evaluate the validity and provide an informed recomendation to your supervisor. Don’t assume that someone doesn’t need something just because you think they are not as knowledgeable as yourself. Different functional divisions of a company will have different needs i.e. executive, accounting, engineering, etc. I have seen companies that won’t let engineers install thier own software, and on top of that it takes a formal request and at least 2 weeks to get the software installed. This is completely unacceptable. If you are going to deny a request you had better make sure you can properly support the needs of this individual.

          One of the comments refered to the company network as thier office and “he wouldn’t wnat you messing arround in his office?”. Something to keep in mind is that the individuals PC has become the majority of his office, i.e. desktop, filling system, address and appointment book, etc. By limiting his ability to customize his computer you are in effect telling him what tools he can use on his desk.

          I have Admin rights to my laptop and in the last 3 years I have installed hundreds of software packages, and none of these have created a problem that required IT intervension.

        • #2735832

          Agreed…

          by fjeanbart ·

          In reply to Control Issues

          Just assess the IT knowlege of people asking for admin privileges over their desktop.

          1. Make sure that the administrative account used on the personal PC (laptop, workbook, whatever) IS NOT the same account used to log on the corporate network (!!!).

          2. If they need some learning just to make sure they don’t bug their machine every week, tell them to get the knowlege first, else show them how it could not only cost the company, but also that each “PC fail” is well documented for every employee (a person asking for such admin rights will think twice about it).

        • #2706157

          I agree 100%

          by ranradio ·

          In reply to Control Issues

          IT is a necessary service center for a company, the key word being service, instead of control

        • #3306884

          Total agreement

          by mromero ·

          In reply to Dont do it

          The Policies and Procedures are in place for a reason, there is no reason that I can see that warrants this type of access, all I can see is a lot of trouble not too far down the track.

          This also leads me to ask the question why was he dismissed before?

          NO WAY IS HE GETTING THAT LEVEL OF ACCESS.

        • #2731570

          Support

          by networkplanner ·

          In reply to thats good advice

          We have a policy for executives that gives a little bit of flexibility. For any exec that wants to have those rights, we give it to them. The caveat for them is that IT supports ONLY the preinstalled apps. Any issues related to non-supported apps are handled by the exec. If the app causes an issue with supported apps the offending program is deleted. If the problem is not solved by removing the program, the computer is reimaged from a generic Ghost image. If the exec is willing to abide by that, they are give access. This only applies to Senior Executives, ie, officers of the company.

          This is in a Fortune 500 company.

        • #2731424

          Licensing Issues

          by nickb ·

          In reply to Support

          We found an executive that installed unlicensed software on his company laptop. We discovered it by accident while auditing software on the network while he was connected. This is a tremendous liability and can cost thousands of dollars per occurance. All permissions were removed and the software deleted.

        • #2731508

          the psychology of it

          by eth0 ·

          In reply to thats good advice

          Whenever you do help, you must not let your ego in the way as well. We can all fix the broken parts, but it is better to prevent them from breaking.

          You are right he does not want to follow IT policy because it makes him feel inferior. Try to take this feeling away from him by explaining to him in laymen terms some common hacker techniques exposed through assigning admin rights to ordinary users (i.e. vp’s and all the above, lol)

          Of course he will probably brush hacker talk right out the window which is what the hacker…

          well good luck!!

        • #2731471

          An image is worth a thousand word…

          by saintgeorge ·

          In reply to the psychology of it

          … and an experienced is worth a million.

          I worked in a company where we had one of those hard cases. The guy in charge of network security and policy finally let the exec have his way. And then hacked into his notebook. Nothing serious or harmful, just messed up his screensaver and sounds (it would fart every time he turned it on and burp for mistakes). And he also trashed his porn (oh yeah, that’s what he wanted to install, Kazaa). And demoted him to guest status so he couldn’t change anything back. How he did it I don’t know, I’m just the guy who sets the hardware up, changes faulty kbs, disks and monitors, and he wouldn’t tell me…
          Second time, he had his way, and the exec gave in.

        • #2736875

          You might have the secret in there

          by user@# ·

          In reply to thats good advice

          You say he has a huge ego? I hate what I’m about to suggest, but try a “suck-up” type routine– play on his importance and the fact that his time is better spent working his job; the “small-fish problems” that he finds on his laptop are better suited to those of you who are more familiar with the new complexities and nuances of the new O/S, etc.

          I once worked for a company with a BS (boss’s son) who thought he was the last word in computers. At a time when there was only one PC in the company and I was working on the Quality Assurance Plan (required by the state license), he locked the hard drive and left for a week. Later, when we got a LAN and someone else in charge of that we pretty well kept him locked out. Believe it or not, he eventually got himself fired– but that’s another story.

      • #2736961

        Local Admin?

        by gpartridge ·

        In reply to Maybe exec support

        If the Executive requires local Admin rights to his laptop then whats the problem?
        He can’t cause issues other than with his own laptop.
        Give him the rights and if he causes himself problems, politely explain that the IT Policy would have prevented the issue.

        • #2736946

          WTH????

          by russell ·

          In reply to Local Admin?

          First of all, you have just set the standard: IT policy is worth less than the disk space the file occupies on the network. When that laptop crashes because he installed Bonzi Buddy and a handful of other non-standard apps, who is he going to come running to?

          How are you going to tell the other VP’s, that they can’t have local admin rights? You’ve already given them to VP 1.

          Do you or your manager answer directly to this VP? If not, he needs to go through his chain of command with a business justification of why he needs those rights.

        • #2731759

          Reply To: admin rights for executives?

          by alysonh ·

          In reply to WTH????

          We have a fairly laid back policy regarding user rights on local computers/desktops. It works because it’s a small network though, only about 50 users. The rule, in writing is, you are allowed to administer your own desktop, HOWEVER, we do not support, fix, repair or otherwise take care of problems that have to do with anything they install or arise from anything they install. We also disclaim, from the point that they change something, any responsibility for anything on the computer.

          What I have found is one “Hrmmm, I’m going to have to reformat this, will be a couple of days before you get it back” has pretty much stopped people from playing too much with their computers.

          What -I- would do?
          a) Give the guy what he wants.
          b) Get his acknowledgement that he understands what he is playing with and the consequences. (I’d suggest getting it in writing)
          c) Make sure that his superiors understand that you are giving him admin rights because he demanded them but you can’t be responsible for what might happen, i.e. losing usage for a few days.

        • #2731749

          Support it anyway

          by kasualkid ·

          In reply to Reply To: admin rights for executives?

          I would say you would end up supporting it anyway – even if all you do is re-image the desktop.

          We just hired a COO within the last year and a half (he came from one of the big 3 oil companies). My VP of IT reports to him and he is greatly concerned about the support we have to maintain to people who do not abide by IT policies. His most recent comment was, “At [the oil company he worked at before] if a support issue was caused by a user ‘breakin an IT policy’, they sent the user a personal bill for the support call.”

          An interesting concept. I would write a contract to that effect and create a new revenue stream for your support staff.

        • #2731714

          So You will make the time that you don’t have?

          by it-is manager ·

          In reply to Reply To: admin rights for executives?

          That sounds very “user friendly”, but not very realistic – I beleive the policy was put in place to reduce work not create it by giving users rights and waiting for the inevitable to happen – like at 5:30 when your trying to walk out the door. And I don’t care how casual your company is or small – I find it hard to believe that your president/owner is going to say “Ok a couple days for John without his computer is fine – just get it to him when you can.” more like – “Get it going ASAP and explain to him what he did wrong – I know he did wrong, but he needs his computer to work and we can’t wait a couple days”.

        • #2731675

          We used to have a similar policy…

          by rbmg ·

          In reply to Reply To: admin rights for executives?

          We run a network with approximately 70 Clients and used to have a similar policy….until users started loading software that would consistantly go out on the network or internet (like Weather Bug). This started clogging up the network with non-company related traffic that would bring the network down to a crall, thereby affecting everyone.

          We locked down all clients, removed all non-company related software and re-wrote the policies. No network problems, client problems reduced by 85%, network traffic issues are virtually non-existant. Only traffic problem we have had since doing this was from a screaming NIC…we replaced the NIC card and have had no issues since.

        • #2731422

          Been on both sides

          by calzinman at earthlink.net ·

          In reply to Reply To: admin rights for executives?

          I’ve done a lot of hardware and software installation and repair, as well as network management. I used to do the direct user support for about 100 users. Unofficially, as it wasn’t my job, but I was the one everyone came to because I could usually fix the problem. I did the triage. If it was hardware, I called the overworked techs and told them what was needed (I was usually right–the techs asked for “second opinions” from me, too). If it was software, I either fixed it or, if the system had gotten to “cruft level 5” and above, it went to the official techs for a reblow.

          About a year ago, I transitioned into a job in another organization where I was relatively senior, and could leave the user support behind (they have a larger, better tech staff than I was used to). However, *I* wanted admin rights to my XP laptop. My old organization had gotten tighter and tighter, pulling all control into the national office, to the point where they had a mis-set switch in their XP install that caused a long-time app (an app managed by the same useless national office people) to misfunction in a very annoying way for every user in the country. Everyone, including the local techs, was locked out of the setting. I told the national folks that there was a problem, and what and where it was and what to do to fix it. Over a year ago. It’s still not fixed. Everybody’s still using kludgy workarounds and wasting time. I will *not* stand for that on something I’m trying to get work done on. Maybe I’m funny that way, but I think technology is here to serve *me,* not the other way around!

          I fully understand the implications of taking on admin rights (hell, I still administer a couple of networks on the side, one a mixed-platform), and I’m exceedingly careful of what I do–and don’t–install.

          But I also know I am, by and large, the exception, in that I *do* understand the implications, so I’m pretty careful.

          I understand wanting admin rights (which, by the way, I was given by my new organization–without having to raise a fuss). I don’t want to be balked by someone *else’s* ideas of what I should and shouldn’t have on a machine only *I* use. But I also know that it’s a recipe for disaster for many users. It sounds like it may well be for the boss described. I agree with those who are saying “give it to him, but make sure he’s agreed–preferably in writing–that, if he screws it up because of something he did, it may be a while before it can get fixed.” I don’t think that’s at all unfair to ask, and I think if you can present it to him as an issue of fairness, he can probably be persuaded.

        • #2706143

          Don’t do it!

          by bmarin ·

          In reply to Reply To: admin rights for executives?

          I don’t thinks the users should even have access to their control panel. I can’t tell you how many secretarys have released a virus by trying to download puppy-dog wallpaper.

        • #2731742

          I agree with Rusty

          by seamus ·

          In reply to WTH????

          Allowing someone to dictate change without a business need is opening Pandora’s box.

          I can assume that you do because you probably wouldn?t be having this discussion if he was VP for another department.

          Education is the most important tool you have in your arsenal. Teach him the reasons that Administration privileges are limited. Administration privilege makes the machine more open to Virus attacks, Spyware and other unwanted menaces. Thus making the network more vulnerable

          If he still insists on the change then have him make the change request based business need. This is an explanation of why it is a requirement and have it signed off by a superior. (superior to the person making the request.) I know in this situation that is very limited but that is the policy that we have here. If it is the president that is making the request I have my superior sign off.

          You can request this because you are going outside company policy and you need to document any deviation from company policy for future reference.

          If the business reason is not a need it is a want then you have something to work with.

        • #2731664

          Do you have a leg to stand on?

          by tllvp ·

          In reply to I agree with Rusty

          Do you ultimately report to this VP? If so, then you’re most likely out of luck and will have to give him what he wants. If not, have your superior go up the chain of command to see if your VP will support the decision to keep things locked down. If he will, then HE should have the backbone to go tell the pain VP that it ain’t happening and why. If he won’t support you, then once again you’re out of luck and will have to give in regardless of policy.

        • #2735063

          Above all, CYA

          by tachyoninc ·

          In reply to I agree with Rusty

          No matter how it turns out, GET EVERYTHING IN WRITING, with appropriate signatures. My experience is that CYA is very important, for yourself, and for possible future removal of bad apples.

        • #2731672

          People issues

          by rob.mangus ·

          In reply to WTH????

          In my whole life I have never been able to control anyone. The closest one can come to control is to create an environment where the other person is willing to go along. When you have that issue resolved then you can work with people. Until then policies are just writing and only mean what the boss says they mean.

          A little pain on the exec’s part will provide a substantial lesson and you the opportunity to shine as the person who “bailed them out”.

        • #2731499

          Business Justification

          by eth0 ·

          In reply to WTH????

          Words of wisdom: Business Justification

          Thank you Russell.

        • #2731707

          Let him have it …

          by jeffassessor ·

          In reply to Local Admin?

          Give up the control issue,(rule 1: “THEY” are always right), you can never win a pissing match with brass. Alow him to screw up and be VERY prepared to bail him out at a moments notice. The result: You start to look like the second coming and he begins to rely on you for more than just tech stuff (which he does not respect and beleives to be monkey trainable anyway). Look at the big picture; YOU WANT TO GROW UP AND BE THE BIG FISH TOO!

        • #2731698

          We in IT are there for the users, not them for us

          by stomsaz ·

          In reply to Let him have it …

          I completly agree. Too often we set our policies very strict to save ourselves time and billable hours, and end up having a negative impact the end users productivity. We sometimes make change requests so stringent that users will do anything in their power to get around us.

          I would rather be known as a helpful problem solving team member than as an impediment to productivitiy for the sake of a IT department “Policy” that was imposed on the users.

        • #2731674

          Yes, but

          by truthiness ·

          In reply to We in IT are there for the users, not them for us

          We’re hired to make good decisions that benefit the organization, not the individual. IT supports the end-user’s work and productivity, not their every whim.

          If an executive is willing to make you violate a company policy just because they have the power to, then they’re a crappy executive, and if the company lets him get away with it, it’s a crappy company. Granted, not much you can do about it except look for a different job.

        • #2724669

          All relative, define that good decision.

          by open2ideas ·

          In reply to Yes, but

          A real exec knows what his time is worth and how to manage it. At about $20,000 per hour, our former exec deserved all the support we could give, that “gold” support mentioned. If he had to wait an hour to do a 5 minute test install, decisions would be sacriiced, and he might not get that included break we all need sometime.

          The person with the restore instantly attitude gets the business award. You can track it, but bet the exec does too, in his terms. Our second line exec at $2,000 per hour deserved it too. They don’t make money being fools.

          The big guy had our best person work a week to design and install his home network and link it in. Would you really rather have a contractor patch into the home office?

          It really is the company interest that has to be cared for. I’ll bet the person that refuses to budge on rules also gives “gold” service, even harder, or else is on a short list.

        • #2731496

          The issue here is EGO…never be a wannabe

          by eth0 ·

          In reply to We in IT are there for the users, not them for us

          The VP clearly has no direction with which he wants to take his PC. He just wants admin rights to defeat his inferiority complex. This is a seperate issue, not a justifiable business decision.

          Remeber there are wannabes out there and they will always be wannabes.

        • #3305476

          Steaming Mad- This is not McDonald’s

          by t165 ·

          In reply to We in IT are there for the users, not them for us

          Let’s face it in the wake of Sarbanes-Oxley we no lomger have the luxury of simplifying change requests. We now have to document every change that we make and the reason for the change. And to be honest for every request that a user makes whcih it only takes them 2 minutes to complete the form I have put in 20 minutes implementing the change and another 20 minutes documenting the change and its possible effect on the overall network infrastructure. So I refuse to sit there and listen to them whine about having to take 2 minutes to fill out a form. And I also refuse to allow them to have administrative righhts on their boxes as even when they only take down their own systems I will have to spend an hour bringing them back up. That hour in my world is not a billable hour. I have a certain amount of hours each day to accomplish a great deal of work. If that work is not completed I have to connect from home on high speed connection that I pay for out of my own pocket to complete the neccessary work so that I do not become hopelessly backlogged. Computers are given to end users with more applications than the users could ever use with ideal configurations, but in the fast food mentality world everyone thinks that they should have it their way. With no regard as to the time that I have to take away from my family to make it so that they can have it their way. IT departments are stretched to the breaking point already trying to keep computers secure and updated regularly. I know that I am ranting here but I learned the hard way that unless the end user know how to restore his own computer as you will be reloading it if you give administrative authority. And trust me no matter what you say upfront you will also be reapplying their customizations and you will spend a great deal of time trying to recover what you can from their old system, and answering a million tiny little questions that they will pepper you with as they try to find the best way to improve(crash) their system. The only admins who truly just Ghost unconditionally are those who are within a year of retirement and don’t care if the ax falls on their heads when their VP can’t find his NASCAR bookmark in his favorites.

        • #3180991

          Are you still alive? It sounds like next stop strokesville

          by Anonymous ·

          In reply to Steaming Mad- This is not McDonald’s

          If you go home at night and log in on a line you pay for to do more work for free you are not that smart. Now don’t get me wrong, you may be brilliant, but you are working harder not smarter.

          If loging on over high speed is required for your job than the company will pay for it, period. Otherwise you are doing something they don’t think is necessary.

          You are taking your responsibilities WAY TOO SERIOUSLY. Relax.

        • #2731693

          We fought that same battle

          by coldbrew ·

          In reply to Let him have it …

          Our Tech dept fought that same battle. All the brass got what they wanted and we got stuck fixing it. We fixed it but sort of picked and choose who to make examples of. Trying to explain IT to non IT execs is like standing knee deep in gasoline juggling road flares.

        • #2731677

          Jeff has the right idea

          by buschman_007 ·

          In reply to Let him have it …

          If you turn this fight into you against him, then if he gets his way and doesn’t screw up your IT policy looks like fluff. If you are supportive, don’t take it personally, and just advice of the “potential danger” then you can’t be wrong. Document everything to prove how right you are 😉

          Mike

        • #2731465

          On the other hand…

          by saintgeorge ·

          In reply to Let him have it …

          If you are dealing with a senior exec dumb, er, i meant unreasonable, enough to think he/she knows better than policies, you should be ready to be held accountable for the mayhem he/she might cause, locally or all over your net.

          Specially if this is not really an IT-educated person, which is almost always the case. Or even worse, it might be a half-cooked IT-wiz wannabe.

          He (why don’t English have a neutral pronoun?? I’ll say HE but remember, women can be unreasonable too. Not saying that happens often though).

          He will never admit it’s his mess. Somehow you should have managed things so he could have had administration rights in a completely sealed-off secure environment. After all that is why they are paying you a salary, right?

          How to avoid that? No specific way. Each case is different, specially if you don’t have higher-powers backing (and that is surely the case, or we wouldn’t be discussing this).

          I agree. Be ready for damage containmet. But do not, repeat, do not be surprised if instead of Christ Reborn you are treated more like something the cat dragged in. Egos don’t like to be proved wrong…

        • #2731688

          ie. Local Admin

          by valor ·

          In reply to Local Admin?

          gpartridge@mdi-ltd.com, the issue with the executive being granted Admin rights is that you not only circumvent the IT Policy thus making it worth nothing, but setting a standard of foregoing the policy. Have your dept head setup a meeting with him and the company senior to force them to either support you or let you know where your policy and dept stand in their eyes.
          If he cannot provide substantial reasoning to his boss for having admin rights, then it shuts the issue down right there. Thus, it prevents any further heartache or conflict. Trust me, he wont wish to look like an idiot in front of his boss. BTW, dont do all this via email. Make the meeting a face to face meeting.
          As far as possible threats, there are many security issues with granting admin rights as most already know. Proprietary company info can be leaked by an untrained Admin making changes to by-pass features of your network security structure. Once he makes changes to his laptop he may inadvertantly cause a virus threat to your network among other things. Educate his boss in order to stop the executive in his tracks.

        • #2731654

          Playing with fire

          by zaferus ·

          In reply to ie. Local Admin

          I agree 100% with the risks of giving someone Admin rights, but what consolation is it to be right when you’ve got bad marks on your reputation because you’re being badmouthed at exec levels, or worse – if you’re in the unemployment line?

          I dealt with situations like this when I was doing consulting work, and I would normally try to clear it up by:

          1. Business people understand risks. Explain to him that the more changes he makes, the more he could alter the high integrity business standard you have on the systems. Explain the risks to “potential business continuity disruption” – this is where you hit the exec at his primary business function.

          i.e.: is he in front of clients? “How could it affect our reputation if the system crashed during an important presentation?” If he does reports “What could be the cost of lost data if the system crashes at an important deadline?” Does he travel a lot? “How are we going to support him if he’s down and 400 miles away?” “We value our ability to give good service to everyone here and I’m genuinely concerned that this could affect our ability to continue giving the same quality of services.”

          2. Explaining the risk of security or lawsuits – “I’m not as concerned about out time, it may be a good excuse to grow the resources of our department, but what could happen if some innocent looking unauthorized software utility installed was exploitable by a hacker and someone stole our company data from the laptop or used it to steal data from our network? What would be the perception from our clients if we had to go back and tell them their personal information may have been compromised? What could that do to our corporate reputation/stocks? What would be the cost of just one incident? Not to mention any potential lawsuit risks?”

          3. Explaining the increased cost of support. “We would be happy to give increased rights to these users, but we may require additional support staff to handle the increased support requirements.” Maybe even mention to help reduce downtime you need a “spare” system of that type! Or propose using a user based recovery system (like xpoint). Be prepared with some statistics, costs and nice flashy graphs to illustrate your points! Nothing brings this “give me rights” game to a halt faster than showing increased costs without increased benefits to the decision maker!

          If the CEO/President says “go” then give it to him and thank him for the time, and get some additional equipment and put an ad on monster.ca for another tech to grow your department – and look at the bright side. My experience is that most likely if you talk to the big cheese in his language (costs and risks) that this will all come to a screeching halt.

          Either way – good luck with that! Political problems at the exec level are tricky at the best of times.

        • #2731643

          Way to go Zaferus

          by valor ·

          In reply to Playing with fire

          Very intelligent response. Quite enjoyable reading. You sound like someone who has been in the line of fire a lot and the points you make are right in line with one of the proper ways of handling an issue like this.

          If they still wish to go forward with it, I would also ensure there is written documentation to keep you from being a scapegoat in any legal or Admin action.

        • #2731631

          Licensing compliance? (and other issues)

          by csangel89 ·

          In reply to Playing with fire

          Excellent points zaferus!
          Since a good executive should look out for what?s best for the entire company ? here are some other examples?

          We once had a policy that users could control their own computers–and ran into problems with all the internet programs affecting bandwidth for everyone. Users couldn?t get actual work done because there was so much ?other stuff? on the network.

          A bigger issue, however, was the unlicensed software that people would just happen to have a disk for–whether from home, their buddy, or something they downloaded from the internet. Basically, the company-owned resource was becoming their personal computer. If audited and prosecuted, we could have been liable for over $300,000 in fines alone. Sure, making them sign a waiver could decreased our liability, but why have this loophole in the licensing compliance policy? Is it possible to have a blanket waiver for every liability that could come up??

          Since locking down the workstations, and requiring a legitimate business reason for installing and purchasing software, our software and support costs have decreased dramatically.

          Some of the postings are arguing that giving users admin rights increases productivity. We’ve found out quite the opposite — that removing admin rights prevents users from installing all those software “toys” and distractions that decrease productivity. Yes?this applies to executives also.

        • #2731423

          Amen

          by nickb ·

          In reply to Licensing compliance? (and other issues)

          Amen to that

        • #2736752

          ie. Local Admin

          by orvinabbott ·

          In reply to ie. Local Admin

          Policies in some organizations are only there to appease auditors. They only apply to those below Senior Executive Officer and in some cases below VP. When challenged with written policy in front of the CEO, he states we are not being flexible enough and that the SEO’s are who pay our salary and they are allowed to do whatever they wish and we are to support no matter what. If they break it, our job is to make it right!

        • #2731667

          bucket of worms

          by jespalmer ·

          In reply to Local Admin?

          The problem with giving any user full admin rights on their computer is that allows them to install software that could potentially harm the entire network (like kazaa or another IRC app). Also, that gives them the ability to lock out domain admins, change the local admin password to something less secure, disable antivirus programs… in other words, a BIG bucket of worms. This is especially dangerous with a laptop user, who will log into his own home network (over which you have no control). Don’t even get me started on the WIFI!!!!

          If it’s not already too late to do so, I would explain calmly all of the above risks to this executive, and in a very polite way mention that even though you don’t believe that he would do any of that, if you break policy for one Executive, then all the others will want their own exceptions. My experience has been that if you kill him with kindness – tell him that you will be more than happy to help him install any software necessary for him to perform his job – then he will find out that he won’t actually need to bother you much at all.

        • #2730966

          Local Admin priviledge

          by stefanes ·

          In reply to Local Admin?

          I wholeheartedly agree with your statement. Myself, a telecommunications engineer, do a lot of international travel in Latin America, Africa, Middle East etc. I cannot count on the IT dept of the company, located in Montreal, Quebec, Canada, to support my lap-top whenever something happens while in the field.

          Best regards

          Alex 🙂

        • #2735817

          I agree

          by terry.bizogias ·

          In reply to Local Admin?

          and furthermore it is the job of IT to help him fix those problems he caused.

      • #2736960

        I am exec support at my company

        by jboardman ·

        In reply to Maybe exec support

        After several years of this fight, we finally just created an exec support – me. While the rules are the rules, keeping the execs happy is policy for several reasons. The execs had to cover the cost of my salary plus two spare machines to cover their “mistakes”. I ghost each exec’s machine when it’s imaged and set up for them. I make sure it costs at least 24 hours for each error that causes a “reimage”, then back up their data and ghost their image down and replace the data. They’re happy, we’re happy, and after a time or two being without a machine for 24 hours, they’re a lot more careful what they do with their admin privileges.

        • #2731750

          Perception vs Reality

          by josche ·

          In reply to I am exec support at my company

          I agree with jboardman’s technique – minimize the risk, but if there’s an issue make sure they know the damaage it caused. At the same – if you think you’ll run into issues before you can get them imaged with spare hardware waiting, you might try renaming the admin to something else, then create a false admin ID with as much rights as needed – or give this false admin ID rights that expire. You can then explain that certain installs won’t work because of other security settings on the laptop but it may cut down on un-approved installs.
          Ultimately you’ll need to make your case with #’s not policies in place. Once this VP (and their boss) understand the overall cost involved, they may back down.

      • #2736956

        Excellent!

        by sandym ·

        In reply to Maybe exec support

        Brilliant response from Gralfus – I had a similar problem and fortunately had a good enough relationship with the user for him to trust me to sort him out after he had “fiddled”.

        A month later the user was instrumental in pushing through a new server purchase at a time when the company wouldn’t purchase anything!

        • #2731700

          Put him to work.

          by k2zedx ·

          In reply to Excellent!

          We all know that from middle managment up, you are not going to win. Exec’s are the worst. I would suggest giving him the desired rights, and them when he comes to you with a problem, explain that you gave him admin rights, and he has the abality to fix his own problems. Once he realizes he is in too deep, you can sit him down with you and bore him to tears with all the fixes you will have to perform. If you take up enough of his time, he might not cause any further problems.

        • #2731586

          CIO’s Job

          by gnostic1 ·

          In reply to Excellent!

          Inform your CIO and let him/her do their job, which is to deal with other executives on matters such as this. They don’t pay you enough to fight these battles; they DO pay the CIO enough.

      • #2731661

        Exception to Every Rule?

        by srh ·

        In reply to Maybe exec support

        You could allow people exceptions to your rule, but only if they sign off on a ‘waiver’ that says by going outside IT procedures, they are forfeiting their rights to support, maintenance, backup, or whatever parts you feel are necessary.

        This waiver might be created where not only does this exec have to sign, but his higher up. That way the boss of that guy has to agree, and you can step in and explain to the higher up why the policy was instituted, and maybe why this guy shouldn’t receive his exception. Policies are a business process, not an IT process, so make the business managers say ‘no’. Let your IT always say ‘yes, as long as policy permits’

      • #2731637

        This needs to be discussed within IT

        by prplshroud ·

        In reply to Maybe exec support

        I don’t know the structure of IT at your company and where you report on the org chart, but…

        If you’ve got a CIO at the VP level, a chat with him/her about this would not be out of the question. Get your reporting VP in your court on this, and then let the issue be dealt with at that level. The last thing you’ll need is to have spats like this going on between yourself or your manager with a VP.

        If you’re VP is the CFO, you will have a harder time explaining the issues and winning them over.

        Just my $.02

      • #2731634

        Re: Admin Rights for Execs

        by dave shaw ·

        In reply to Maybe exec support

        We have a number of staff positions dedicated to managing *exceptions*. We negotiate with the exec’s staff to determine the exceptions and determine who will be taking advantage of those exceptions. A service agreement is signed, and they go on about their way. Currently, out of 100k users, we have only 7 of these individuals.

      • #2731616

        CYA

        by anthem ·

        In reply to Maybe exec support

        Well, the way I look at it is that anyone who is competent enough to trust with administrative privileges won’t have to ask – they can just blast out the administrative password on the local machine, and do whatever they like.

        So, you’ve determined by the simple fact that they asked the question that they don’t merit administrative privileges… Here is what I do – I give them a local administrative account, never never never an administrative acount for the domain, and let them do their damnedest. On XP I’ll set a restore point, on earlier OS’s I’ll copy the registry hives, or in some cases create a system image.

        A lot depends on your relationship with the person – if it is a bit adversarial, then they will blame problems on your “incompetence,” and try to undermine your credibility at every opportunity. The key here is in relationships – make yourself this person’s ally, keep documentation, but keep it to yourself. Dialogue with them, explain to them the destructive forces to be reckoned with, and the risks involved…

        But if we are taking about logging on to the domain with an administrative password, NO WAY,

    • #2692225

      Self preservation

      by dc_guy ·

      In reply to admin rights for executives?

      You have to consider the totality of your career, not just your primary responsibilities of providing network support. In general the wisest thing to do is to completely defer to an executive if all he’s doing is causing a little trouble, not breaking the law.

      You’ll be able to fix the little problems he causes. If you tick off the wrong person and get fired, you will have a big problem, and those are harder to fix.

      • #2692220

        so what you’re saying is

        by hiro_protagonist ·

        In reply to Self preservation

        that it’s better to be fixing an executives broken laptop than to be looking for a new job…
        got it… 8 )
        I think I’ll just squash the little ego I’ve got going on and just give the guy what he wants, and smile while doing it…
        Thanks guys!

        • #2692210

          Good Move – I deal with it EVERYDAY!

          by tomsal ·

          In reply to so what you’re saying is

          Good move Hiro,

          Definitely in a situation like this…”bow down” to the executive and give them what they want. Trust me I’ve fought this battle myself for a long time and I its just pointless in the end.

          BUT!!! (Of course…there’s ALWAYS a “BUT”! lol)…

          But DOCUMENT DOCUMENT DOCUMENT!!!

          I may “give in” to executives who want admin control, but trust me I keep it all documented with the exact date (I’ve gone as far as put the exact TIME like 8:39 AM…in my documentation) and I ALWAYS inform our Senior Ops exec who is also an-ex IT guy, so its the closest to a CIO we have here.

          If you inform someone and keep good documentation..THEN when they screw up — you have the power behind you to say “Hey I told you so and here’s the proof oh and ask [CIO’s name here] as well”..lol..

        • #2731762

          exactly

          by ristau5741 ·

          In reply to Good Move – I deal with it EVERYDAY!

          I agree 100%, they are the ones trying to run the business, not us in the trenches.

          if they want it, give it up, document it, if you have issues, notify your manager in writing and move on. once this is accomplished, it’s no longer your responsibility. You have done your job, that’s what you get paid to do.

          It has taken me a long time to learn this.

        • #2731747

          Make It Hurt

          by johnnysacks ·

          In reply to so what you’re saying is

          If your direct supervisor says no, why is he going after you?

          If you’re the guy saying no, you’re soon to be road kill. This guy gets canned by the company, then he’s capable of convincing superiors (same ones that canned him?) that his attitude is 100% in line with the company AFTER the fact? He’s a two faced liar with salesman skills that will bury you.

          If the guy is indeed a menace with an over-inflated ego, you’re not going to get a call unless he’s got the laptop 100% hosed.

          Screw imaging the hard drive, backing up his data is his problem, reformat IS an option. Make him submit a formal request for service. Put an oscar level performance on looking energetic and enthusiastic, he’s your buddy ole’ pal, golfing, sailing, dinner at the club… right? Dog the job, the normal company operation is on hold while you attend to his issues.

        • #2731613

          you had better advice than this!

          by techiefromhr ·

          In reply to so what you’re saying is

          it’s not about squashing your eog, Hiro_P… It’s about what’s best for your business and that’s not always giving in. What if everyone asks for the exception? What will your reputation (and your dept’s’) become after all the VPs have total access and screw everything up all the time. If the ego-guys can’t deal with a little IT policy, then they’re not going to admit to anyone that they screwed up the computer–you’ll get blamed for all their problems. So, you’ll be looking for a job anyway!

          Reread the messages about working with the higher levels of the organization, creating an ‘exec support’ person–hey, even create a “charge back” policy where your dept gets to charge the execs for “out of the ordinary” fixes due to out-of-policy access. But just don’t just consider giving in without discussing the business needs, ramifications, and costs with higher ups.

        • #2731450

          your reputation

          by mykill ·

          In reply to you had better advice than this!

          I Agree with ” clamo88 “. If you Submit to His Requests without Discussing the Matter with those in Charge take a guess Whom they will Blame when things DO go Wrong. So prepare 1st then Discuss the matter, ramifications, and costs then go with Their Recommendation. ” Let the Boss have the Final say “

      • #2731717

        More self-preservation

        by gsquared ·

        In reply to Self preservation

        Make it clear in the written documentation of the granting of admin privileges that, if he brings a virus or other destructive piece of software into the system through action or negligence on his part, that he will be prosecuted on criminal charges for cyber-terrorism. Kind of the ultimate CYA. Even if you never prosecute, it will at least give you an escape hatch if he brings in something that causes a disaster.

    • #2692203

      Deny him rights…

      by mrafrohead ·

      In reply to admin rights for executives?

      You as well as I know there is no such thing as an exec that should have any Admin rights.

      They’re dumber than a post when it comes to doing anything on a computer, let alone trying to just turn one on.

      You give that person rights and they’ll hose the machine and cause your department to spend unnecessary time fixing a problemt that didn’t need to happen in the first place. And the exec won’t care, and will more than likely do it again.

      That’s my experience, and I’m stickin to it.

      Mrafrohead

      • #2692194

        totally agree but what am I to do?

        by hiro_protagonist ·

        In reply to Deny him rights…

        That is exactly my experience with this issue. Even the most tech savy 50+ year old execs are total noobs. Of course there are exceptions, but it seems to me that unless you grew up with with this stuff you just don’t “get it”. Have you noticed that some people when presented with two options to click on always click the wrong one?

        But what am I supposed to do? We’re not a big company at 200 people. I am the sole support guy and will have to deal with this exec all the time. I think I’m just gonna bite the bullet and give him enough rope to hang himself.

        • #2731752

          Evaluate the pros and cons

          by fabian.vandermerwe ·

          In reply to totally agree but what am I to do?

          As most Systems Admins, I am very busy with very little time in the day to deal with “petty” problems. One needs to evaluate how difficult this Exec can make your life. If he ranks higher than your boss then perhaps you should think about doing his bidding.

          Personally I won’t. A policy is there to govern employees and officers of the company and hence needs to be obeyed by all. My CEO is an “IT Man” and he obeys IT Policy. He however does have Local Admin rights as he connects his MDA to his notebook. However our policy states that certain users may be granted Local Admin rights at the discretion of the IT Manager and Systems Administrator.

          I hope this helps.

          F@bs

        • #2731594

          Ahhhh but that’s just it…

          by prplshroud ·

          In reply to totally agree but what am I to do?

          He won’t hang himself. He’ll hang you. Even if you have enough documentation to convince a US congressional commitee, you’ll still lose, because he is the VP and is “in the club”. A gent that I once worked for said that “VPs are not your friends or your buddy. They’re different.”

          I’d re-read the message I posted earlier today. If he’s coming directly at you, he’s using his using, no wait, he’s abusing his power to scare you into doing what he wants.

          Remember, your primary responsibility is to the company, not the person(s) you work for or the person in the office next to you, but the company. You have to do what’s best for the company.

          As I said…I’d re-read my earlier post and take that action. Let it be duked out at the VP level. If he comes at you again, tell him he’ll have to take it up with your reporting VP.

        • #2731547

          OMG You took the word out of my mouth

          by sysadmintech ·

          In reply to Ahhhh but that’s just it…

          Exactly he will not hang himself the only one he will hang is you.keep in mind he is part of the millionares club. He is a great producer, and his colleges will take his side before they take yours.

          Word from the wise… the last thing you want to here is…. you dont know what your doing.

        • #2731546

          OMG You took the word out of my mouth

          by sysadmintech ·

          In reply to Ahhhh but that’s just it…

          Exactly he will not hang himself the only one he will hang is you.keep in mind he is part of the millionares club. He is a great producer, and his colleges will take his side before they take yours.

          Word from the wise… the last thing you want to hear is…. you dont know what your doing.

        • #3180539

          What are you thinking!?

          by Anonymous ·

          In reply to Ahhhh but that’s just it…

          Why in the world would you want to start a P*ssing contest between VP’s!?

          Usually the IT VP is NOT the alpha dog anyway and does not want this problem dropped on their doorstep by someone under them. It just makes no sense. Unless the IT dept is itching for a fight (and with the budgets and positions being cut who wants a fight), give the VP whatever he wants. Anything you do that makes you a valuable resource to the people in the positions of power is a GOOD THING. Man, why is this hard to understand.

        • #2731549

          Admin Rights Exec’s

          by sysadmintech ·

          In reply to totally agree but what am I to do?

          Just want to say from my expirenece as a LAN Adminstrator, I never had a problem with giving administrative rights to my to end user’s on the local machine….once I get to know them. Local rights is the safe why to go about it.

          Best for laptop users.

          Please keep in mind once the user logs on to the network (Domain) his/hers rights are limited, they will have to log on to the local profile on the local machine to make changes. By granting the above rights will keep your network infrastructure safe and secure.

          However you might want to start by giving the big dog rights as a Power users in lieu of Administrator. Be easy on yourself get to know the user first and analize his or her needs then give rights accordingly.

          Hope this advice helps!!!!

          Best of Luck !
          LAN Administrator
          Samuel Ramos

      • #2692814

        local admin only!

        by djent ·

        In reply to Deny him rights…

        Ghost his drive, limit his network rights. If he blows it up oh well, restore and let him worry about changes and data.

        • #2736958

          Local Power User

          by shaggysheld ·

          In reply to local admin only!

          Deny him local removable media access via policy, and give him the same clientuser rights as everyone else to network drives.

        • #2731544

          Local Admin

          by sysadmintech ·

          In reply to local admin only!

          I have to disagree with this statement. No offense but when you are a LAN Administrator everthing falls on your lap.

          So be prepared for the responsibilty. Before allowing a user full rights to the PC, you should always make it clear to them that you will not be responsible for the personal data and software on the local machine.

          As we all know all end users should be saving company documentation on the network for daily backups.

      • #2731629

        Stupidity

        by whosyrbudy ·

        In reply to Deny him rights…

        Mrafrohead…
        This is perhaps the most ridiculous over generalization I’ve read in a long time. Obviously the exec is “dumber than a post” because he is probably making 3x as much as you are with the apparent attitude problem that you have. The other guy who wrote about prosecuting the guy for Cyber terrorism if something “got through” is also someone who has an inflated sense of his own self worth within the organization. You are there to help people, not threaten them… Maybe a little education on how to not do something stupid would go further than the threats.

        • #2731543

          CYBER Terrorism

          by sysadmintech ·

          In reply to Stupidity

          BAhahahahahahaha that is the funniest thing I ever heard.LMAOoooooooooooooo

        • #2702262

          You’re funny…

          by mrafrohead ·

          In reply to Stupidity

          You must be one of those CEO’s, and I must have struck a nerve… nyuck nyuck nyuck…

          Just because someone makes 3X as much as me, doesn’t mean they are smarter than me. I mean, think of it like this. MOST CEO’s don’t really make wise decisions for the business anyhow. They want to make money, so they lessen the crews pay, cheapen benefits and then get a lousy product to replace what made them famous. Which then leads them down the path to extinction.

          Don’t believe me? Look at Carly Fiorinsomething from HP. Crap, even McDonald’s is having problems from making their stuff different than it has always been.

          Dont’ tell me that it was the IS guy that did that…

          Lastly, who in the hell was talking about threatening. There is no threat in a simple, “NO”. It’s just that, NO. Nothing more, nothing less…

          Just because someone is the jokester of the company, doesn’t give them “special rights”.

    • #2690797

      Different approaches

      by deadly ernest ·

      In reply to admin rights for executives?

      I have experienced this in a number of different work environments, both private enterprise and govt beaurocracy.

      The first thing is I point out what the policy is and that I do not have any authority to overide or change the policy if I wish to stay employed, then point them to the person who authorised the policy. Funny how the execs don’t want to waste their boss’ time with minor things like this.

      I have seen organisations that have a set format for all their machines, those wanting to personalise them can have all the admin rights they want and get personally billed for any service calls on the machine as the support people are only there to support the standard set up.

      I have also seen organisations that resolved this by having the set format installed on the network controller and whenever a machine logs on to the network the server checks certain files and then updates and program updates/upgrades needed and restores the system to the current format, and every machine is shutdown over the weekend. Most people who want to personalise either get used to doing a regular resetup or give up on it.

      Others have no solid policy and allow this do an image everytime they update or upgrade the system. When there get a call and it is not an easy fix they just reimage the machine. We got the image discs to such a point that we trained some ‘regular’ exec clients in putting the image disk in and doing it themselves, made two disk for these guys. This saved us many hours work as they would reimage whilst out to a meeting or lunch.

      • #2731540

        So many ways to go about admin rights

        by sysadmintech ·

        In reply to Different approaches

        …and I see EEBYWATER out of a job pretty soon.

    • #2691593

      Reply To: admin rights for executives?

      by frankieee ·

      In reply to admin rights for executives?

      Just make sure its considered a company policy not to have admin rights. You might want to hold a lunch-and-learn about ‘User Policies on the Network’. If he’s giving you a really hard time give him local admin rights, then just tell him that if something goes wrong with his pc then you’ll need to revoke his rights as an administrator on that pc. You don’t want to have to keep fixing a pc due to user errors. Tell him that time is money and I’m sure he’ll agree. If you do give him local admin rights, he may not be as tech-savy as he appears to be. If he’s not technical, then it will be a novelty for a few weeks then he’ll forget about it. If its for simple tasks like changing wallpaper/fonts etc then its not worth making an issue of it, just give it to him.
      These are my personal opinions and ideas on how to manage that type of a situation.
      Good Luck

    • #2736962

      Paper is the key.

      by kiero ·

      In reply to admin rights for executives?

      Run into this situation myself, exec’s are not above company rules.

      Make him understand and get him to sign a non-disclosure/disclaimer form, making him fully aware that any problems or damage caused from him having admin rights, HE FIXES.

      He wants admin rights, he can have the responsibilities that go with it.

      • #2736957

        That’s all very nice

        by agnostic ·

        In reply to Paper is the key.

        But at the end of the day hiro_protagonist is the IT support for his organisation – he can’t just deny support to this person because they want greater access.

        Hiro, you’ll have to bite the bullet and give him the access (he’s an exec, you’re support – no use fighting a battle you won’t win, or making an enemy of an exec).

        But, as other people have advised, ghost his machine so it can quickly be restored. Also configure offline folders or some sort of desktop backup client to save off his data every day, so you can restore it if he does corrupt the machine.

        • #2736954

          What about safe data options

          by robthegeek ·

          In reply to That’s all very nice

          Hiro, you might want to set up partition on his drive for his data, and then ghost his main partition. Stick the image on the partition with the data, if he has a problem with something he did, he can re-image it himself with a simple boot disk you set up with the command sequence already in the autoexec. If the problem is something you have to fix, chances are it was going to happen anyway. Not all the execs are tech-stunned, some are just accident-prone.

        • #2731673

          Dual Boot

          by bentley ·

          In reply to What about safe data options

          I go one step further and set up three partitions:

          1.) Default 2K/XP with full local Admin rights
          2.) Alternate 2K/XP with only User rights
          3.) Data partition (move My Documents and email files to here)

          I use System Commander to isolate and protect the boot files.

          If the user screws up the default system he can reboot to the alternate and continue working until I have time to correct the problem. The only problem I’ve run into is training them to not store files on the desktop (but one system failure usually corrects that situation).

        • #2731662

          Current IT Attitude

          by valor ·

          In reply to That’s all very nice

          Question 1 – Why do we even have policies if they are not enforced or followed?

          Question 2 – Can the Lawyers, Judges and police break the law by mere fact that they are in positions of authority?

          It is apparent that IT does not gain the respect of the user community because of attitudes of “Just give in”…”He is an exec so he can have what he wants”…Dont fight a battle you cant win”

          I am sure our countries forefathers are rolling over in their graves….You will ultimately WIN their support and respect by standing your ground and enforcing policy. You do not have to be arrogant or unprofessional about it. Just state the facts and get his boss involved if it continues to be an issue. EVERYONE answers to someone, unless it is a sole proprietorship. If you give in to their every whim…do you think they respect you? Or…do you think they view you as one of their “yes men” or butt kissers? As IT professionals I think we are setting the stage for being ignored and abused if we allow constant by-pass of our policies.

          I know it sounds rather radical, but society has become complacent in almost all walks of life. Respect is earned and not given so show them that you are professional and you have the rules for a reason. Present the reasons in writing, fully lined out as to why these policies are in place. If you cannot explain the need for the policy or dont have a clue as to why they are in place, then you have already lost the battle and the policy needs to be changed. Bottom line.

      • #2731724

        But who sets the rules?

        by dumbuser ·

        In reply to Paper is the key.

        >>>>Run into this situation myself, exec’s are not above company rules

        Actually, in most companies, execs make the rules.

    • #2736955

      He’s the boss, then he is responsible

      by kevin.dorrell ·

      In reply to admin rights for executives?

      If he insists on having privileged access against all your recommendations, get your security policy changed to include his specific privileged access, and ask him to sign it off.

      • #2736953

        He’s the boss! !

        by orvinabbott ·

        In reply to He’s the boss, then he is responsible

        Recently we had a similar incident, and due the execs feelings being hurt when he was denied access, we were called before the CEO, the exec and HR to be written up for doing our job of enforcing policy. This included unauthorized installation of software (not enough licenses) by the exec, to equipment purchases that did not meet corporate configurations. From the CEO, you answer to anyone who is above your level in the food chain and if unauthorized/illegal software is installed, make it legal. It was very close to an escort out the door. We have documented in the past the infractions and will continue to document. HR gets a copy of all documentation on this execs activities that go against policy! It’s not worth losing your job over the exec who will have their way no matter what policy states. Especially if you have no support in enforcing policy! Document, Document, Document!!

      • #2736952

        Pass the buck

        by chris.harrison ·

        In reply to He’s the boss, then he is responsible

        The best advice I would give is refer him to your superior,-you can’t change policy, you can merely advise on it. If your boss is asked the question by the exec, he will ask your advice, and you can have your say in the matter. Any clauses you want adding in if he gets admin rights will not come from you, so your back is covered. This kind of thing happens all the time where I work, so its become a ‘pat’ response to anyone questioning IT policy

      • #2731764

        From Dogsbody to Dogsbody

        by expert-in-spe ·

        In reply to He’s the boss, then he is responsible

        Hi, I’m also young, bottom of the heirarchy and what’s worse female! We have a load of guys and gals here who get large paychecks and think that makes them a special customer.
        Make it clear that you are a dogsbody doing the job you are hired to do, according to the rules given to you and the best knowledge available. Don’t question them about their IT knowledge but rather about the business need and if you loose make sure you don’t have to spend hours cleaning up by having a standard image to give them. Be sure they know that they have to get the rest of their downloads etc. themselves. And don’t pamper them, it makes them worse than they would naturally be.

    • #2736950

      Meet him half way

      by gknight ·

      In reply to admin rights for executives?

      Why not try him on Power User rights on local machine first and see if he can do all he needs with that.

    • #2736949

      Who’s the boss?

      by johnrains ·

      In reply to admin rights for executives?

      You specifically said “executive” which implies his right to set company policy – IT techs do not really have this level authority so be careful; this could quickly become a ride you will wish to get off.

      The problem you are facing has two facets – technical and political.

      Politically, I would find the executive who currently “owns” the policy and ask for their ruling on the poicy amendment. If the result is an amended policy that allows the executive administrative rights, go ahead and give them. If not, the problem is resolved without you being the bad guy.

      Technically, if you want to be a top notch tech, you’ll also set up some method to rapidly restore the system in the event of a screw-up. Alternatively, if you are one who wants to believe that “IT rules”, you’ll impatiently await the day that you can take about a week to rebuild the laptop as punishment for the exec’s insubordination towards IT’s overarching authority.

    • #2736947

      CYA

      by humphred ·

      In reply to admin rights for executives?

      First, make sure it’s not just IT policy, but that the CEO (aka president) has signed off on it. Get it signed off if it isn’t already. Then he’d have to justify changing the policy company-wide.
      Second, if it’s not ‘company-policy’ he’ll probably get it. Be prepared to document every minute you spend supporting his laptop, and the associated costs. $ talks when you build the case to remove the priv.
      Third, look into conducting ‘configuration reviews’. It’s a good excuse to see what’s been installed, keep it updated and within spec, and remove what’s not allowed.
      Remember, document everything regarding this ‘exec priv’ and eventually you’ll have a case to remove the priv, assuming he abuses it.

    • #2736945

      Policy Is the Rule

      by executive ·

      In reply to admin rights for executives?

      Regardless of this person’s history, he is now a Sr. VP in the
      company. As with all employees, he must follow the
      policies. So, if the policy is clear that admin is solely the
      domain of IT, then he cannot be given admin privileges by
      you, since that would make you in violation of the policy. If
      there is room for exceptions to the IT only condition, then
      give him privileges. This is because exceptions become the
      rule across time.

      If the situation is the former, tell him that since his
      previous tenure with the company, policy and policy
      enforcement has changed. Should he feel it is better for the
      company that individuals have admin privileges then he
      should submit same to the policy people (varies by
      company) for their next review.

      If the latter, then you bring the non-exception position to
      the policy people for their approval by using the exceptions
      as examples of wasted IT resources (fixing individual’s
      mistakes, re-securing systems and reducing company risks
      of liabilities from misuse) and inefficiency of user time.

      Note that the decision to make the policy exclusive or non-
      exclusive is conditional on the approval of people outside
      IT. Keep this group aware of the risks of variations to
      policy, while you at all times follow policy as written and
      intended.

      • #2736942

        Remember Enron?

        by kevin.brunk ·

        In reply to Policy Is the Rule

        I agree with Executive. But, it may be helpful to remember that in the era of Sarbanes-Oxley and the failure of Enron, the Worldcom and Tyco debacles, companies should be VERY wary of executives who seek exception to established policy. Who knows what their motives are, and what they might be able to do “underneath the covers” once they have more authority than they are supposed to have – especially unsupervised authority.

        I am tempted to say that, now, perhaps all policies should include a disclaimer that should any (senior?) executive seek exception to company policies, the CEO/COO, CFO, and/or the senior executive committee, as well as the Board of Directors should be advised. After all, they are the most likely candidates to be cell-mates of Martha if the requesting executive commits an illegal act having obtained the policy exception.

        • #2731728

          My thoughts exactly

          by dlavoie ·

          In reply to Remember Enron?

          If your company is publicly traded, then you are bound by SOA and must follow established policies and procedures. The era of executive privilege has past, and your new VP needs to understand this.

          Then, there is always the possibility of illegal software being loaded onto his laptop. If it’s a company laptop, who will be fined? Or downloads that contain malware that could be spread throughout your network. Not good scenarios.

          My advice – stick to the policy.

        • #2731614

          Good advice

          by a.d.e.p.t ·

          In reply to Remember Enron?

          That is an excellent piece of advice for larger corporations.

          It justifies the policies in place and makes IT’s job eaasier in the end at the same time.

          Brilliant.

      • #2731725

        Exactly…

        by securitytech ·

        In reply to Policy Is the Rule

        This would depend on how your policies are structured and approved. All of our IT policies are approved by the CIO. Last time I checked the CIO sits higher than a Sr. VP.

        If you standards allow for exemptions (your policy should never allow any exemption) then require the VP to submit a formal request in writing in accordance with your organizational structure and directives.

        This is more than a policy issue though. If the VP is aware of people who just asked for rights and got them then your position is significantly weakened. However, if you have been abiding by policy and standards then you have grounds to require a formal request (if your standards allow it).

    • #2736944

      Exec Support/No Admin Rights

      by jamacdonald ·

      In reply to admin rights for executives?

      Most businesses now have Sorbanes Oxaley to deal with. If giving the exec admin permits him to bypass controls, then it is not allowed. SOX also requires you to minimize the number of people in the organization that have elevated permissions. Another aspect of it is from the information assurance perspective, POLP – Principle Of Least Privilege, give them only what they need to do their job.

    • #2736941

      Company-wide SOE is the go. Can the exec fire you anyway?

      by davebourke ·

      In reply to admin rights for executives?

      If this executive isn’t part of IT services, how could he fire you? You don’t report to him, he’s not in your department. Executives don’t have as much power these days as what they did a few years ago. If the exec was in the IT department as your own manager or something he’d have admin rights anyway since he’d have to approve whatever went on with the network.

      We run a standard SOE for the entire company. Executives receive the same rights as basic users with slight adjustments made in AD for access to reports and so on. All these adjustments are approved up the chain of IT services so regardless of what an executive thinks of you for saying no to granting him admin priviledges they can’t really take it out on you since it’s the same scenario for everyone in the company.

    • #2736939

      Invoke SLA terms

      by habari ·

      In reply to admin rights for executives?

      I presume tha you have some kind of SLA with the business/users. So let HIS boss know that any workstation whis is “non-standard build” will not be supported by IT. Further, the PC is not his, it belongs to the company and hence must operate within company rules. Get him to put in writing/email how lack of the rights impede his service delivery to the company while stating your reasons for the “standard-build”…of course copy his boss and yours, CYA. If he has good reasons, make very clear that he takes responsibility for any impact of the exception.

      • #2731727

        Customer Service???

        by dumbuser ·

        In reply to Invoke SLA terms

        Again, you can invoke all the SLAs you want–the perception will be that you don’t care about your customers. The reaction will be, “you’re fired.”

    • #2736938

      Everyone has a Boss

      by ce_younger ·

      In reply to admin rights for executives?

      There are exceptions to every rule (policy), and everyone has a boss. I would try to learn the reason for the request and find another way to satisfy the exec. If not I would require an exception form (with implications detailed) signed by the exec’s boss, image the drive and give the exec his rope!

    • #2736937

      Fact of life

      by racote ·

      In reply to admin rights for executives?

      There will always be the exec who thinks he knows more
      than he or she really does. There will be the prima donnas
      who demand a different brand of machine or software that
      will require extra support. There are those who will want
      you to support home systems.

      You have to build this into your plan. Because no matter
      how important the CIO is – the CFO or COO will overrule to
      keep peace. The smaller the business the worse the
      problem.

      • #2736933

        addendum

        by racote ·

        In reply to Fact of life

        Slipping slightly off topic- so much of this depends on the
        corporate culture. I have been places where even the CEO
        can’t get extra privelages to other businesses where the
        attitude was to give them whatever they want. Not all
        solutions will work in every environment (like we’re not
        used to that?)

      • #2731763

        Don’t make it hard

        by roger99a ·

        In reply to Fact of life

        Have his boss convince your boss to allow his access. It’s that simple. The VP’s boss is ultimately responsible for for the VP’s actions and your boss is responsible for maintaining the integrity of IT policy. Get documentation for the exception if it occurs. Many people will try to bully those with less power than themselves, but shy away when they have to go up the ladder first.

    • #2736931

      Human Support

      by piratesam ·

      In reply to admin rights for executives?

      In a similar case, what I do, is to get toknow the exec better, and ask him to mentor me in this specific case. I usually ask him what should I do, and how should I reply to him, especially in front of HIS peers. How should I justify letting him get Full Admin Priviledges and refuse it to his peers. He knows best and you work FOR him.

      Of course, him beeing the mentor, he can have anything he needs to have, and you are here to serve him. How many times he screws-up is irrelevant: you work FOR him, and before you know it you will be working WITH him and there is nothing better than forging a good relationship with any co-worker be it a CEO or a janitor.

      The rule always applies: Please help me and teach me and mentor me.

      If – by miracle – you fall on a “one-of-a-kind” rotten apple, then at least you have it documented that you did your best and you let him hang himself by putting it in writing that you do not suggest (and the word here is suggest) that he get an admin access, and that he is being an exception to the rule, and that he is then responsible for any delays he might create with his laptop.

      REMEMBER that this does NOT mean he will have any priviledged access on the network !!

      Create a win-win situation.

    • #2736930

      Use the chain of command

      by robita ·

      In reply to admin rights for executives?

      First, either the company has a policy or it doesn’t. Having one on paper and having top management supporting it is where it gets tough. This is NOT his computer it belongs to the company, and should be managed like other company assets. At a minimum I would ask for some signed authorization from a top manager. This provides an audit trail for SOX and at least you are not in the line of fire.

    • #2736929

      Many ingrediants for the same piece of cake.

      by leonard j rivera sr. ·

      In reply to admin rights for executives?

      I’ve read through all the replies to your question and have dealt with this myself. Here is what I have to say.

      Take a small piece from what everyone had to say. Here is what I do.

      First of all, the law is the law, breaking the law has to be clearly defined in your IT policy.

      Is your company a public company or is it privately owned? This makes a huge difference in regulatory compliance which may govern what privileges he is allowed to have.

      Become his executive support and keep up to date ghost images, this will only help you in the end.

      Most importantly, and most here have stated it, document everything, cross your T’s and dot your i’s. Make this part of your status report that you submit to your supervisor.

      Deffer responsibility, you didn’t create the policy and you are not high enough to customize it per user. No need to back down on what you told him. Simply explain you are willing to work with him in trying to get what he needs. (be political) But that you can not allow this without higher approval. The deffer to your supervisor and get it in writing (either by creating a special privleges form or getting your supervisor to sign off on the work order)

      The name of the game is to keep the execs happy no matter what, at the same time you need to keep your systems safe so when ever there is a change in order, make sure it is documented thoroughly and signed off on by those who have the authority to change the rules.

      Use your own tools against him, we use spyware detection and blockers as well as scanning systems on a weekly basis for unauthorized applications. Just because he gets local admin rights doesn’t mean he can install anything he wants. I would not even cover this as part of the admin rights issue. Your IT policy should clearly outline this seperately and it should be treated as a seperate issue. When and if spyware or any other unauthorized software is discovered, you can address that. First by notifying the end user (yes SVP or not, he’s still just an end user) via email of the discovery and that the software will need to be removed, CC: your supervisor, then open a work order and schedule the removal.

      Summary – Do what ever you can to give them what they want. Don’t tell them it can’t be done, tell them how it can be done. Document everthing and get signatures where needed. Enforce policy and keep your supervisor(s) in the loop. If the poop is gonna fly, remember to duck.

      That’s the best advise I can offer.

    • #2736928

      Why not?

      by nicknielsen ·

      In reply to admin rights for executives?

      Give him admin rights on his laptop, but, as suggested elsewhere, warn him that the turn-around time for any major fixes (reimages, etc.) is 24 hours. After a couple of long waits without a laptop, he will probably get the idea, particularly

      Another option to consider is making the user part of the Windows Power Users group? We have several non-Microsoft applications here that, according to the manufacturer, require the user have admin privileges to run; we tried “Run As” from the Users group, but it just didn’t work. Power User status appeases these apps without allowing the user too many excess privileges.

    • #2731765

      Executive buy in

      by markza ·

      In reply to admin rights for executives?

      We had a simmilary problem with an exec. Although he did not want to comply with the normal internal policy. We have a very tough CIO and total buy in from our shareholders and board members. We raised the issue with the Shareholders and they took up the issue at their next board meeting. We held our stance on the company policy. We also have two dedicated technical resources for our exes.
      The Exec finally agreed that altough he was on the top of the company food chain, policies and procedures are a necessary and integral part of the company, and no excpetions could be made. problem solved.
      This would not have been possible, if we did not have our shareholders and board member buy in right from the word go.

    • #2731760

      Wanabe VP

      by kkohl ·

      In reply to admin rights for executives?

      NO, NO, NO. We have the same problem (I think everyone does), and it is a struggle. Don’t give in. Stick to your guns. These people should realize they set the example for others in the company. Allowing admin access will only cause more problems.

    • #2731758

      History and TCO

      by gill ·

      In reply to admin rights for executives?

      What’s this chap’s history? Did he previously have the rights? And, if so, were there issues? If so, you have your argument to deny his request. If he cannot come up with a sound business reason for same, then no.
      Also, figures around down time, recovery etc would be usefulto support your case as revenue is king.
      Good luck

    • #2731756

      Guns don’t fix IT problems…

      by robthegeek ·

      In reply to admin rights for executives?

      First of all, you don’t state that this is a company policy. If it isn’t a policy endorsed by the CEO, SVPs who request local admin rights will almost always win the argument. The only real option for you is to document everything that you or your boss have to do to maintain this machine’s integrity. As stated in some of the other posts, $ talks. Time wasted fixing an unproductive user’s machine is money wasted. Enough wasted money will lead to a review involving your department, this SVP and the head guy. Without policy in-place, you have no leg to stand on.

    • #2731751

      everyone wants to be god

      by jimmypi ·

      In reply to admin rights for executives?

      I get the same sort of thing all the time here. Unfortunantly we are a software development company and all the developers need to have admin rights to thier workstations. By employing SMS though I can watch for hardware and software changes that cause problems and I can take away or uninstall programs that I don’t want them to have, or even reinstall programs correctly that they screw up. I also get similar request that “I am a VP and I want access to all the switch rooms and data centers” Which causes shivers up my spine everytime I get them. My only reply is “so you want rights to trip up and bring down the whole network?” A really smart VP knows when he is over his head, and a computer usually is, even tho they wont admit it.

      • #2731731

        And, of course, IT always wants to be god

        by dumbuser ·

        In reply to everyone wants to be god

        There are plenty of people desiring divinity.

    • #2731748

      Local Admin and CYA

      by plumley9 ·

      In reply to admin rights for executives?

      Every new employee and all of the old ones have been given the company policies and expectations of behavior. They have to sign a form agreeing to those policies before their network access is enabled.

      A) all machines have ‘Local administrators’ and most of the users know their password. These accounts can NOT attach to the network. The network account is a ‘power user’ level and the login procedure / group policy verifies that setting before allowing network access.

      B) I log any changes to the standard setup on systems. I also retain signed notes for any variances to the ‘standard’ setup.

      C) I have converted half our systems to XP Pro because of the ‘System Restore’ function this not only enables fast recovery, but DOCUMENTS changes and when they were made. ( we sill convert the rest of the systems this fiscal year. If you wish to stay with 2000, keep a ‘ghost’ of the drive as delivered and try Win Rescue. It works like ‘system restore’.

      D) If at all possible, avoid the fight. Document the variances and stay current with your logs.

    • #2731745

      What is the problem???

      by relm ·

      In reply to admin rights for executives?

      Like all executives they are allowed to make their decisions, and live with the results. Let them! They will find out soon enough that they cannot afford the outages and loss results of their action. Or, perhaps in this case, they will be allowed a repeat performance of their lay off of two years ago. (You can only hope!)

      Another issue is of IT policies as opposed to a definitive “Security Policy”, as in ISO 17799, that is driven from executive sponsorship,and risk assessment of the legal liabilities. The questions of wayward executives is answered and easily controlled.

      Robert Elm
      [HEGL International]
      P.O.Box 318,
      Hamel, MN 55340
      612-308-3002
      relm@usinternet.com

      ISO 17799 Information Security Management Systems
      (BSI Qualified Implementation Management & Auditor)
      http://WWW.heglintl.com

    • #2731739

      There is a way out of this maddness ….

      by kaceyr ·

      In reply to admin rights for executives?

      At the company I work for, we run W2K on the backend servers and XP Pro on the workstations, including the laptops. For all workstations, the profile for the users is set so that they have local administrator access. This doesn’t give them squat on the servers, but gives them a lot of control on the workstation.

      Here’s the catch:
      We have group policies, that’s real Windows Policies not a piece of paper, that enforce a great many things on all users. Basically, anything that a workstation user could use to cause a problem is locked out. The only complaints that we ever got were the users who wanted to clear their web browser history (the policies also allow our Network Operations group to monitor certain activities and provide the ability to audit any workstation at any time), and those complaints were all within the first two months of the XP rollout.

      Now you may be thinking, “How do the developers get anything done???”. The developers workstations are all on their own subnet, within their own domain. Yup, our own domain all to ourselves. We’re allowed to do pretty much anything we want to our workstations, but when we screw up (WHAT??!!!?! Developers screw up????) we “flash” our systems back to the initial setup, or to our last good image.

      When things do go amiss on the non-developer workstations, they get “flashed” back to the standard installation. The IT support staff doesn’t even begin to try to troubleshoot. It’s not worth the time or effort. Everyone knows, you screw it up, your box get re-flashed! The “flash” is a customized XP Pro installation that has been burned to CD, so the IT support staff shows up with one of the CD’s and says “this will take about an hour, why don’t you go to lunch?”.

      It’s not all peaches and cream because IT (often) gets called on the carpet to justify why things are set the way they are. So far IT has always been able to successfully defend their position.

      All in all, it works out pretty well.

    • #2731738

      Depends on the Chain of command

      by spankyb ·

      In reply to admin rights for executives?

      What you do depends on the chain of command at your firm. If you have a powerful exec. that you report up through, you can stick to your guns. But let your VP(CIO) fight that battle. If you don’t have a VP or CIO that respects the importance of your IT policy, you might as well give him his local admin rights. You’re not going to win that battle, you might as well save yourself. Having said that, I would politely explain when you do this that your department will only support the “approved applications and configurations”, if he gets himself into trouble with something he’s done, you’ll help him out as time permits.

    • #2731736

      Policy Edit

      by dkeggins ·

      In reply to admin rights for executives?

      In talking with the VP, try to feel out exactly why he may need the admin rights. May it be to install software or hardware… Then edit the policies so his user account, or the power user group and set him as power user, so he can do what he needs, but still limit him in other areas so he will do less damage. I’ve had to do this for our sales department with WinXP. They wanted to be able to install printers while on the road so they can hook up to a printer in the hotels and print. I gave them Power User access and modifies the policies so they can install hardware on the computer. Made them happy and made my IT manager happy all at once.

    • #2731733

      Once again, “Who is the Customer?”

      by dumbuser ·

      In reply to admin rights for executives?

      Sounds like the guy may be a real jerk, but still, he is the boss above you in the company, is he not?

      You do not own the system, the company does. It is your job to keep things running, regardless of the stupidity of the users. I’d give him what he wants, with the proviso that if he screws it up, he may have “some down time.” Of course, if he is the company’s VP, you’d have to eat those words most likely.

      I work in HR, and we get the same old questions from people about insurance coverage, company policy, etc., and we don’t tell them, “Hey, the policy is that you should let us determine how to select your insurance and be happy with it.—-We give our customers options, and we advise them of what we think best, but they are free to screw up their coverage if they so wish. And yes, if they do, then we get to fix it for them. It’s all part of providing customer service.

      IT must develop a customer service attitude, or it will find itself in power struggles that it cannot win, especially with senior exeuctives. (I know, been there, done that.)

      • #2731706

        Way off base…

        by michael.obrien ·

        In reply to Once again, “Who is the Customer?”

        I have to completely disagree with dumbuser’s comments. You simply can’t compare HR issues with IT issues, they aren’t even close.

        If a person screws up their insurance, does that impact the company? No, just that person. But if Hiro’s whiney exec downloads a trojan horse or worm because he now has the “right” to do so, then brings that computer into the company, bypassing the firewalls and virus gateways, who will suffer then? The entire company, especially Hiro, the guy who gets blamed for the breach and has to clean up the mess, if he still has a job.

        We had a similar case of a “rouge” user at a branch office loading “freeware” on their laptop and then bringing into work to show thier buddies how cool this game was. What he didn’t see was the trojan that also got loaded. When he hooked back up to the internal network,(and most org’s don’t firewall office from office or anti virus) the trojan propagated throughout the enterprise in under an hour, bringing our systems to their knees. This brought our entire business to a near halt for better than 24 hours until it could be cleaned up.

        How much does it cost your business to be without their computers for 24 hr’s??? I work for a Teir 1 automotive supplier, computers run the entire operation. It’s been calculated that we can loose as much as $10,000 per MINUTE when our systems are down. We can’t ship, recieve, transmit data to our customers, recieve data from our suppliers, etc….
        I aggree with everyone that says, go over this guys head to his boss and your’s and make them aware of the potential negative impact to the company. Expain that your are trying to protect the company, not trying to play “God” or just being a stink, by denying this guy admin rights. Then, if this exec’s boss still approves it, then ask him to sign a doc stating that you’ve explained the potential impacts. This will be your “get out of jail free” card when it evenutally hits the fan! And it will.

        Good luck Hiro….We IT people feel your pain 😉
        MO’B

      • #2731657

        Customer care must not be customer worship!

        by habari ·

        In reply to Once again, “Who is the Customer?”

        O.K the exec is a customer but every service must defined boundaries else there will be SLA’s anyway. The business must also understand there is a cost to every IT service they enjoy. Up times can only be guaranteed within a certain relevant range defined by the standard operating environment. There will be allowance for expetions but care must be taken to ensure that the exceptions do not become the expected! The question should be “what value does this access add to the BUSINESS”.

      • #2731537

        misunderstanding of roles

        by jj_itguy ·

        In reply to Once again, “Who is the Customer?”

        You are hired to give options. We are hired to protect the computers, networks, databases, privacy, reputations, etc…

        BIG difference.

        By not protecting our “customers” we ARE NOT giving them good service and we are not doing the job we got hired to do.

    • #2731723

      ITs their world

      by nios ·

      In reply to admin rights for executives?

      This is really a no-brainer to me. As a support person I work at the graces of the executives of my company, they are the ones that pay my salary, purchase and own the equipment that I use. It’s never an IT against the executive it would be dumb to look at it in this manner. I know a lot of IT guys that think that they own the network that they manage and fight to control access and such, they tend to find themselves bested by the powers that be and giving up ultimately, of course this is after a rather large loss of face on their part. Others, don’t give in and the network that they thought that they owned becomes the property of their replacement who understands that in a capitalist system that the workers do not own the means of production.
      Back the data up, ghost the machine and give the guy what he wants. If he messes it up, fix it, that’s your job.

      • #2731718

        Hear, Hear

        by robthegeek ·

        In reply to ITs their world

        Been there, done that, got the old fired t-shirt… There are certainly worse things than eating a little crow now and then…the un-employment line is not a pleasant spot. I am in a position where I have 1100 clients to one support person. I explain that time is of the essence, and there is not enough time in the day to troubleshoot user caused errors. If it is not repairable in 10 minutes, it is a rebuild. If your data is not backed up on the server, I’ll be back in 20 minutes. If you can’t get at the data, I can have you back on your feet in about 15 minutes. Policy only governs those who will be governed. Locks only keep honest people honest. If the user ‘needs’ to do this, they are my ‘boss’ and I will do everything in my power to make their computing experience pleasurable.
        I also inform them that spyware and malware is sufficient reason to rebuild.

    • #2731720

      Cynical Idea

      by gsquared ·

      In reply to admin rights for executives?

      If the exec is computer-literate enough, this won’t work.

      Try creating an “Executive Account”, give it the same rights as any normal user, but the more important sounding name will make a lot of power-happy types feel like they’re getting something special.

      If he’s educated enough to know that that’s just BS, it won’t work. You’ll need a clarification from someone senior enough in the organization to have real policy-authority.

      The top people in the place I work are the owners of the business, and if they wanted admin rights on the server, we’d give it to them. After all, they own the server, can’t very well tell them no way. They’re smart enough to not want that. Sounds like your guy isn’t that smart.

      If you do end up having to give him Admin rights, you should be able to set it up so he can only blow up his own laptop. Give him admin rights on that and regular user rights on the LAN and server – that way he can install his own spyware and trojans on his laptop, but can’t put anything on the server. That’s still a risk, but a lesser one than full admin rights to the whole system.

    • #2731719

      Jeesh

      by tneukam ·

      In reply to admin rights for executives?

      This whole discussion really heats me up. Over the past 30 years, I’ve been a user, and I’ve been the IT guy.

      Reading between the lines, it seems to me like YOU are the “wanabe.” You seem more miffed that someone who was laid off in the past is now back and in a position of power than anything else. I don’t see how giving him admin rights to his local machine is going to hurt anyone. If he has any tech abilities whatsoever, he’ll find the tools to give himself those rights anyway.

      I really don’t agree with the limitations that a lot of you folks want to put on users – JUST BECAUSE YOU CAN.

      I really hope that someone in a real position of power finds out that the guy who punishes the exec by impounding his machine for 24 hours finds about it and cans his butt.

      You guys ALL have to learn that the only REAL business of any business is to 1) sell things, 2) manfacture things, 3) provide a service – or some combination thereof. Like it or not IT is just a support mechanism to do the real business, not unlike the people providing any support services, secretaries, janitors, etc. Think about it, if the janitors started messing with the senior executives because they didn’t like the way they threw the trash in their wastebasket, they would not last very long. You guys ALL better get a better attitude. Although there are still a lot of these folks that know very little about technology, there are also quite a few that are very savy – or they have friends and family members that are. If you like your job, you might want to choose your battles a little more carefully, and not try to be such and “IT Nazi.” Worst they can do is screw up their own machine. Anyone of you that think there is a legitimate reason to restrict a user from choosing their own screen saver or color scheme is a little daft. If the janitor made you keep your chair or pencil holder in a certain prescribed place, you’d be a little miffed.

      BTW – do YOU have rights to make changes to YOUR local machine???

      -TN

      • #2731710

        Shut up and color!

        by jay.camp ·

        In reply to Jeesh

        Aren’t we dealing with grown-ups?

        As a Senior VP he should have known the policies in place before accepting the position or at least agreed to abide by established policies. I am sure there is a way for him to get the policy changed if it is deemed necessary. That is up to him to persue.

        It is your job to enforce the policies decided upon by people above your paygrade. If you get the go-ahead to allow this person admin rights, do it. If you don’t get permission to allow him admin rights, don’t. Tell this person you don’t make the policy, you just follow what has been put down on paper. Doing this you have just covered yourself.

        If the VP gets his way, give the absolute best service you can! Doing this you have just covered yourself. If the VP screws things up and can’t do his job, I’m sure policy will change back.

        You report to your supervisor. Take your direction from him, that’s why he makes the big bucks! Your job is to just shut up and color.

      • #2731703

        Way to miss the point…

        by happy ·

        In reply to Jeesh

        The notion of IT Nazi is completely ridiculous. There are some people in smaller organizations who may want to run a power trip but in a large scale environment that is ludicrous. Sounds to me more like you are the one with the issues. The point about admin control is nothing to do with power struggles or having to ghost / flash someone’s laptop, the real threat here is the installation of spyware, malware, viruses and back door software. The single greatest threat we face in our organization of over 1200 workstations is trojans/viruses. Allowing anyone to have admin rights who is not employed in a position where that type of access is REQUIRED is laughable. This senior person whomever they may be should not be permitted to put the organization at risk whatever the reason. In an organization where legal ramifications of patient data and privacy are paramount, this is not even an issue.
        The rules are there to be followed.

        So follow.

      • #2731689

        Finally, a voice of reason

        by Anonymous ·

        In reply to Jeesh

        Good for you. While I feel for the difficulties the original poster is having, I’m glad you brought up why IT exists in the first place; which is to service the organization.

        • #2731530

          service the organization by unlocking the doors?

          by jj_itguy ·

          In reply to Finally, a voice of reason

          I find it hard to understand how this could ever be seen as “servicing the organization”. It is simply cowering to the demands of a person who does not understand IT or care about the risks.

          You are hired to do a job and allowing someone to jeopardize your job and the organization because of their position does not seem like a good service.

          All the disclaimers and “I told you so’s” won’t keep these people from firing you even if a problem was their fault. If they mess their laptop up before a big meeting and their ppt presentation won’t work, who’s name get’s negative recognition in front of many – theirs or yours? If you are going to get fired anyway, why not take the high ground and do what is right for the organization. When applying for the next job, I would feel better explaining that situation.

          Exec’s have to look good and the way they look good is by you providing true professional computing support and protection. This includes limiting admin rights to only those who are competent and trustworthy enough to handle them. Most of all it includes an active and ongoing training program to keep everyone up to date on current security risks and threats and how they can keep their computing environment safe.

          Fortunatley, most execs I have worked with understand their limitations of IT knowledge and know exactly why they have an IT department.

        • #3249758

          It is a service because…

          by Anonymous ·

          In reply to service the organization by unlocking the doors?

          It is a service because it is what the boss wants.

          To put it simply, as long as you are not asked to break the law, do what the boss wants. Now I’m NOT saying don’t make the boss aware of the risks! By all means let the boss know the risks of their choice and document you did so. But is is not your call. That is why they get paid to be the boss, to make such choices.

          That is what being the boss is all about, making the hard choices.

    • #2731713

      Do it for him but follow policy. He is an exec, after all.

      by erich1010 ·

      In reply to admin rights for executives?

      However…

      Make sure you develop a full project plan for how a machine like that would be implemented on the network. Include any costs required to make sure that the machine is logically separated from important data that can’t be compromised. Make sure your plan includes enough time to get all of the appropriate waivers required to implement this. Also include any overhead costs for supporting this one-off machine, above normal network costs. Remember that any additional software or hardware that he puts on his machine will probably have to be vetted through normal channels. Appropriate waivers will be required for each and the software licenses will have to be included in your companies configuration management system. There will probably be other costs for special backups and restores from his machine, which should be kept separate from the production system, in case he contracts any viruses or worms.

      Make sure he knows that this is required for such access and why. And make sure he knows that this item will appear in the next budget, if approved.

      I worked for a government facility that required high security. One of the top heads wanted his PDA to connect to the network to download his calendar. PDA’s, themselves, were usually not allowed in buildings. We came up with a solution to do that securely. I don’t know if it was actually implemented, because it took long enough time to figure out that I was out of their before implementation. However, it followed policy and we went through the usual hoops to get it done. He’ll have to jusify that expense to his people. Budget planning is not my job.

    • #2731705

      Doing this got me fired

      by regul8tr ·

      In reply to admin rights for executives?

      When I faced this decision, my IT Director approved the rights. When the VP fubar’d his laptop, I caught the crap. It didn’t seem to matter that he had been ‘approved’ by the IT director, and that I had written documentation stating he was responsible for any damage, data loss, etc. My advice is to be careful. If you have a policy in place, stick to it. If you let this one have it, then get ready for everybody to demand it.

      • #2731690

        exceptions prove the rule

        by david.planchon ·

        In reply to Doing this got me fired

        I’ve been supporting execs for 10+ years now in a large multinational firm, personnally I dread working with engineers more than with execs.
        Most execs have too much work to fu$* around with their system; they need 100% availability and up time.
        I’ve almost always given my execs local rights to their system, a decision made during a board of directors meeting.
        Early in my career I found it more beneficial to deal with the occasional hassle of customizing each exec system than trying to make them conform with our views of security. My group and I are more worried about execs working on presentations on the laptops on a plane or an airport lounge than anything else.
        Plus keeping them satisfied put you and your team in their good graces something that will take you a long way when the going gets tough.
        I have a whole lot more to say about this but no time right now unfortunately.

        So give them the rights, make sure that the IT director and CIO understand fully the implications of such a decision and go about your business. If it brakes fix it, if it doesn’t work tweak it, if all else fails go work a group that has the same views you have.

      • #3180543

        Hate to say it but you fubar’d

        by Anonymous ·

        In reply to Doing this got me fired

        Based on you message it looks like you got fired because when the exec messed up the laptop (which was foreseeable) you were not prepared to get him back up and running immediately. You could have been the hero instead of the scapegoat. It may seem harsh but it was predictable. Any number of measures could have been taken to make the down-time minutes and IT look great. Instead all you were left with was an “I told you so” and an un-employment check.

    • #2731699

      Chill

      by jgh59 ·

      In reply to admin rights for executives?

      I have never understood not giving admin rights on a laptop computer. Without them, how is the user supposed to cope when issues arise in the field (the actual function of a mobile computer). More than once we have had users unable to work at a remote location because an issue came up on their laptop and they were unable to fix it or have it serviced because they didn’t have rights to their own PC. This happened to one engineer while visiting India. He ended up wasting the better part of a week because his laptop was down. Pretty much a waste of a $7000 trip, far more than the value of the laptop that some IT guy on a power trip wanted to control.

      So my advice is chill….

      • #2731681

        10-4

        by david.planchon ·

        In reply to Chill

        Yup, that’s were I was going with my input as well. A laptop is designed for travelling, when I started in this field I’d get calls at 03:00 and then at 04:30 because I worked at the workd headquarters for my firm and my exec team was scattered around globe all the time. You give local admin rights so that these people can get their work done. Let’s not forget who’s in the driver’s seat and who the mecanics are here.
        We all need each other but in the end a disgrunteled VP weighs more than an admin (even a senior one)

    • #2731697

      ah. politics vs technology policy (security)

      by jaredh ·

      In reply to admin rights for executives?

      should exec’s have admin rights to their laptops or not? That is the million dollar question with no right or wrong answer. In my environment, they do have rights to their own machine. We have policies that redirect things like favorites and and my documents to a user directory on the server so if they blow up their machine, we reimage and they are automatically redirected to the servers for their data. If they avoid the redirection and loose their stuff, shame on them for breaking their machine in the first place.
      Unfortunately, that is the perfect situation. Politics usually wins and we have to bend over backwords for them. We hate it, it isn’t fair, but they are the ones who pay us.

    • #2731695

      The Data Asset

      by jeff ·

      In reply to admin rights for executives?

      If this exec is like many where I work, they tend to have highly sensitive corporate information on their laptops. The VP must understand that the policies exist to protect that asset. If he can look at information as a business asset and understand what happens when he loses or deletes something, it might make the VP realize that it is an impact to the bottomline.

      Then if they continue to persist on it, have them sign a management acceptable risk form. This form identifies the problem, risk, and consequences when security is relaxed on a policy. If they sign it, they indicate they are willing to accept the potential loss to the business.
      Jeff Evenson, CISM, CISSP, MCSE

    • #2731694

      A lot of good advice, but…

      by wwwebster ·

      In reply to admin rights for executives?

      Dude,
      You’re getting a lot of good advice here (some, maybe not so good depending on the ‘culture’ of your workplace). However…
      You mentioned your boss, suggesting there is someone higher up the ladder than you who has a stake in the outcome of this little roundabout. I think the safest thing in situations like this is to defer to that person and let them decide how to proceed. If the existing policy is there’s, they’re not ganna appreciate you making an exception they are opposed to, and there is someone else, with greater authority than your self who can make the call, and therefore ultimately take the heat of any fallout (and there WILL be fallout – perhaps only an increased support workload, but fallout nonetheless).

      Just me $0.02 worth. Good luck with your new headache, er, I mean VP.

    • #2731691

      It is the Koriachi Moru

      by tampa hillbilly ·

      In reply to admin rights for executives?

      What you have is a no-win scenario. Fired for challenging the Execs, or fired for violating documented policy. Even if you win against the Exec, the rest will resent you and your career will be limited. I say… Have your boss say you must have all requests that change company policy in writing, and then give Exec what he wants. That the Exec gets to make an exec decision (policy change) and you get CYA.

    • #2731685

      Other Criteria Comes Into Play

      by zmanisin ·

      In reply to admin rights for executives?

      In the firms I’ve worked for over the last 10 years, laptops were either used for (among other things) remote connectivity or attaching to the network when the user was in the office (regardless of whether he/she also had a desktop pc.

      In those cases, there were 3 policies at issue, internal ‘computer use’ standards, network security and remote connectivity guidelines.

      Have your boss simplify the issue up his chain of command, as a “bottom-line” issue, which is all it ever really is at the top of the chain: If your VP doesn’t do either of the two things I mentioned, above, its a question of the cost of potential IT services (additional maintenance, reconfiguration, reinstallation, etc.) vs. the potential added value of his productivity.

      If he does connect to your network with the laptop, a laptop on which he hopes to have the freedom to install anything he wants, he puts your whole network at risk from viruses, bots, etc., and you should be able to have the issue quashed from above him, based on the potential loss of business. (Standard “best practice” when a virus hits the network, is to detach everyone from it until the issue is resolved, vvirtually or potentially stopping business for a day: What’s that worth to your firm).

      If the VP connects remotely, the issue is whether your remote connectivity is set up securely enough to ensure – and I mean ENSURE – protection of your network. If it is, we’re back to the same issue of potential IT expense vs. VP’s potential productivity.

      If your remote connectivity isn’t fully secured – shame on you; your fault.

      Take it from a Computer Operations Manager: Policy should be adhered to…but it IS a bottom line issue, no matter how much IT wants it to be finite. Its the potential cost of the risk & recovery vs. the potential gain, pure and simple.

    • #2731682

      Network Access

      by isaudit ·

      In reply to admin rights for executives?

      One piece of information that is missing or I just missed it is whether the laptop is going to be attached to the network other than through a VPN or other external access (DSL, Cable). If not, give the Exec local admin rights to the laptop. Have him sign a document stating that any software added to the laptop will not be supported by the company and he will be held liable for licensing violations.

      If the laptop will be attached to the network you have to stick to your policy. You can still give him local admin rights, with the condition that the laptop will be blocked from accessing the network. Reguardless of some of the other comments posted here, you have a responsibility to protect the assets of the company. If your company has an Audit Department, have your boss meet with them since they should have direct access up the food chain.

      It seems to me that the VP is on a power trip from being called back to the company after being laid off two years ago.

    • #2731678

      Administrative Rights Carries Responsibilities

      by dan-hyde ·

      In reply to admin rights for executives?

      We have the same issues at the university I work at. We have created a form that the user needs to sign. The form states that the user becomes responsible for administration of that laptop.
      If the machine becomes compromised,it will be blocked from the network. IT will only offer limited software/hardware assistance in case of problems and this normally ends with rebuilding the machine and possible loss of data. The end user also becomes legally responsible for installed software and the laptop is subject to audits for unlicensed software. The bottom line is if they insist on admin rights, they are on their own. When someone with admin rights has a problem, they are always at the bottom of the queue.

    • #2731671

      To put it in perspective

      by rnickolaus ·

      In reply to admin rights for executives?

      No way. This has nothing to do with rank; it is policy. Here’s a couple arguments.

      1) If something goes wrong, this individual is not responsible per his job description. Whomever is responsible for consequences is also responsible for policies. It would be possible for the individual to accidently load software that could affect your network, data security, other users, productivity, etc. The IT staff that has prepared to deal with those issues have a responsibility to everyone.

      2) The individual wouldn’t ask to have unlimited access to the checking account overruling a financial staff member would they? Why would this be any different. It is company assets.

      I do agree that executives should be given preferred treatment and possibly access to additional tools and documents (especially software) in order to do their jobs. IT is a support department. The second IT hinders rather than helps the company as a whole, it has failed it’s role.

      • #2731501

        agree fully and..

        by jj_itguy ·

        In reply to To put it in perspective

        With few sad exceptions this is not about a power grab as some have mentioned. It is about performing our tasks, duties and responsibilities properly.

        The “reactive” IT methodology is what allows a virus to spread around the word in seconds and IT depts to get a lot of overtime pay, unless of course your on salary like me.

        The real problem for some is understanding the true hinderance to use your words. When we use SPAM filters and they catch one valid email that was important. Did the IT dept cause the problem or the fact that SPAM exists cause the problem.

        If an exec can’t access information that exists on a known problem server because we have blocked access via a firewall. Who/what is the real problem here.

        Helping all users to understand what they are being protected from is absolutely necessary to eliminate almost all problems such as the one being addressed here.

        Also being able to show the $$ saved due to your efforts wins the heart of most execs.

    • #2731668

      Do you have a business reason for Admin

      by tired-tech ·

      In reply to admin rights for executives?

      I work for a large major corp who found that having users (Including execs) put in writting the business reason they feel that they should have admin rights on thier systems. This has to pass by 3 people in the “food chain” before it can be done.
      As a memeber of the executive support team and at thier “beckon call” 24/7.
      Reminding him that policies are for everybody including execs (they made the policy, are they above it ?) and that he may ask your head IT guy to have you give him admin rights takes you out of the loop
      Your just doing your job. (good compny man following direction given)

    • #2731666

      Owner of our company doesn’t WANT admin PW

      by sonicclang ·

      In reply to admin rights for executives?

      I work at a pharmaceutical company. Over the last couple years we’ve been working towards being more secure, both with phisical security and network security. We’re under strict guidlines by the FDA and DEA that only certain people can have access to certain areas of the facility. We moved our servers into a VERY secure room that only a small handfull of people can enter. When it came time to talk network security with the owner of our company he told me he wanted it just as strict as our facility security. He told me outright that he doesn’t want to know the admin password. He doesn’t even want access to the server room. Afterall, the computer with the facility security software is in that room, he wouldn’t want to be accused of changing his access rights. Plus he completely understands that it doesn’t take much to completely hose a computer, so why would he want full control over his computer?

      I wish ALL bosses were as easy to work with as mine. I thik a lot of people’s lives would be a lot easier. My boss knows where he stands, he doesn’t need to go on a power trip.

      • #2731475

        This is true understanding

        by jj_itguy ·

        In reply to Owner of our company doesn’t WANT admin PW

        And another important point is that your boss understands that IT is not on a power trip but that it has the best interest of the company in mind.

        Fortunately most execs I have worked with have this same understanding.

    • #2731658

      A lot of good advice, but…

      by wwwebster ·

      In reply to admin rights for executives?

      Dude,
      You’re getting a lot of good advice here (some, maybe not so good depending on the ‘culture’ of your workplace). However…
      You mentioned your boss, suggesting there is someone higher up the ladder than you who has a stake in the outcome of this little roundabout. I think the safest thing in situations like this is to defer to that person and let them decide how to proceed. If the existing policy is there’s, they’re not ganna appreciate you making an exception they are opposed to, and there is someone else, with greater authority than your self who can make the call, and therefore ultimately take the heat of any fallout (and there WILL be fallout – perhaps only an increased support workload, but fallout nonetheless).

      Just me $0.02 worth. Good luck with your new headache, er, I mean VP.

    • #2731652

      Get the CIO’s buy off

      by exec_woobie ·

      In reply to admin rights for executives?

      I work at corporate. all the execs “needed” full admin right to their local machines. Our new CIO put a stop to it and had us lock down the network and migrate to pure Windows 2000. Now, not a single “C-level” executive has admin rights. Anybody else who asks is directed up the chain until they reach our CIO. This greatly discourages these requests.

    • #2731649

      Exec Admin Right

      by jahaun ·

      In reply to admin rights for executives?

      Execs are employees just like the lowest person in the company. The IT policy is designed to protect the company from IT problems. Therefore, since the Execs are employees of the company, they need to follow the same rules as any other employee. PERIOD. END OF DISCUSSION.

    • #2731647

      Ask Him to Set the Example

      by dmambo ·

      In reply to admin rights for executives?

      Seems to me any decent manager wants to set an example for other employees to follow. This guy should be asked to do that by abiding by standard policies.

      I don’t like this, but by boss took care of a similar problem. He granted the exec the admin privledges requested, then about a week later went into the hidden C$ share and deleted a couple of files. When the exec complained to me that the files were gone, I reminded him that only server shares were backed up, and that if his local files couldn’t be recovered, they were gone forever. As I said, I don’t like this, but it sure worked! (My boss, for whom I have a lot of respect, did not set a good example here.)

    • #2731646

      admin rights for Execs

      by bywhatnow ·

      In reply to admin rights for executives?

      The IT policy was put in place to eliminate rouge users from contaminating the network. It was (in most corps) signed off on and approved by the high up execs.I would take his request to the (have my boss take it) president or highest ranking copmpany officer that I could get it in front of. Explain to this officer that one breach of security could cost the company hundreds, thousands, or even millions of dollars. If he says to give this guy full access then I would have him sign off on his decision placing him and the rouge exec at risk to pay for any loss accrued because of this person. I would also have the rouge exec sign off agreeing to pay any damages caused by him having full access to the rights on his computer that he is connecting to the company network.

      Michael

      Thats My Story And I’m Stickin To It

    • #2731641

      Our Approach (We broke down)

      by pdouglas4294 ·

      In reply to admin rights for executives?

      I work for a moderate sized Gov’t entity. This limits our ability to bill someone for messing up their computers.
      Dept policy states that users shouldn’t run with Administrative access unless there is a compelling reason.
      We have a few people (who previously had Whine 98) with new WinXP laptops. They were set as “Power Users”. They complained they couldn’t make certain changes to their computer because the changes needed Admin Rights.
      What we did was to create an account called “Installer” on their laptops with Admin rights. In order for them to get the password, they had to sign a document detailing:
      – why you shouldn’t run as an admin
      – it is in violation of Dept Policy to install unauthorized software, either from media or downloaded from the Internet
      – you won’t change your own access level
      – you will not change the administrator password
      – Violations of those (and other items) could result in loss of the special account.

      The only problem I’ve run into with this is the software for one of the PDA’s didn’t want to cooperate. Normal user account couldn’t install it. Installed with the installer account wouldn’t run with the normal “JoeUser” account being active. I had to upgrade the “JoeUser” account, install it, and then down grade the account back to Power User.

      TTFN

    • #2731639

      IT is IT if followed by IT guidelines

      by tomdean ·

      In reply to admin rights for executives?

      1-dont break your IT policys for employees.
      2-Give the big shot power user status, -make him feel important.
      3-followe rules 1, and 2 and enjoy less stress and micorsoft based headaches in your life.

    • #2731638

      Don’t Do IT,…. You’ll screw the rest of the enterprise….

      by mariosoberal ·

      In reply to admin rights for executives?

      Don’t do IT because if it gets around the next SVP will want it and then what about VP’s and can you really stop Directors and Managers if VP’s and SVP’s get it. And what about that EVP that’s son showed him how to take the cover off of his PC to add memory? Where does it stop?

      That’s why you have policies. If you are having problems with that YAHOO, then talk to the Chain of Command and let that EVP or CEO do their job and tell this SVP why you have policies. Be ready however to support their needs. We in IT cannot hide behind our policies so that we don’t have to do something. If this person needs support, that’s your job, meet their needs and then they won’t have any reason to ask to go around the standard…….good luck………..

    • #2731636

      I get another personal laptop

      by evp01 ·

      In reply to admin rights for executives?

      Since the company owner won’t take responsibility for his own inabilities or errors, he blames the computer. Therefore he gets a new one, and I inherit the old (1-2 yr old) laptop. A quick rebuild and I have a new toy.

    • #2731635

      How would you like it

      by jdpond ·

      In reply to admin rights for executives?

      The first rule in technology is eat your own dog food.

      If you have given up administrative rights to your laptop, you should have no problem convincing someone else to.

      If you haven’t, you are a hypocrit and frankly a micro power freak. Don’t ever impose a rule on someone else you wouldn’t be willing to live with yourself.

      • #2731542

        WHAT!!!!

        by isaudit ·

        In reply to How would you like it

        The person who started this post is a System Admin. Admin being the key word here. It would be like telling your Payroll manager that since pay information isn’t available to other employees you can’t look at it either.

        I can’t see why a VP needs admin rights to do there job. There job is to lead the area they oversee, not play with computer settings.

    • #2731622

      Admin rights for execs – conditional

      by mapoolet ·

      In reply to admin rights for executives?

      One thing about a use policy for the department, if it’s written without room for exceptions, then you might be locking yourself (and the company) inside that proverbial “box”.

      Giving certain individuals rights that supercede their normal group assignment might be what you need to do in order to give them the freedom they require to innovate. Of course, it can also cause a lot of trouble for your support organization, which is why you have to evaluate each request for extra rights independently and in its proper context.

      What would be the downside of making this exec a local administrator on his own laptop? I’m assuming that you have some sort of “watchdog” or “spyware” running on each client machine, to monitor the exceptional circumstances. Is he clever enough to realize this? Wouldn’t you still be able to monitor his activities? As a matter of fact, you could make the local administrator status contingent on the user being constantly monitored, and let him know that. Give him one chance. If he screws up, then he reverts back to the pre-defined management role. And OF COURSE he’s held responsible for EVERYTHING that happens on his laptop once he’s a local admin, whether or not it’s his fault. NO, he doesn’t get preferential treatment from IT support — after all, he’s a local admin, he should be able to troubleshoot his own IT problems, right?

    • #2731618

      Job Insecurity: Ridicules policies

      by kenneth.collazos ·

      In reply to admin rights for executives?

      I can’t understand why anyone would impose such a ridicules policies.
      This only shows how lazy this IT team and it also show their lack of creativity and innovation.

      HAVE A NICE DAY !!!

      • #2731587

        Disagree totally

        by david.planchon ·

        In reply to Job Insecurity: Ridicules policies

        I disagree with your comment Kenneth. Even though I personnally give admin rights to my execs I strongly agree that no user (no matter who) should be given the keys to the gate without due notice of the implications and responsibilities incured with such permissions.
        I control it by running several sms server, dameware nt utilies, antigen, websense, opening only the ports we need to work and keeping a very tight lid on antivirus updates and ms patches.

        People might install “stuff” but I’ve found execs dont’ have time to “futz” around with the laptop. They understand that doing so will result in down time, and that’s time and money, both commodities execs are accutely stressed about.

        Engineers are the real danger, they like to tweak, tinker, and test the limits of everything they touch.

    • #2731617

      Reasons should be checked out.

      by gschoenf ·

      In reply to admin rights for executives?

      Procedures are often like the law: No one is exempt but there may be valid reasons to allow an individual some latitude. As an officer of my union, I am given admin authority over my workstation simply because 1.labour Law protects confidential data.2. my workstation is used only for union business 3. the company provides the workstation under the terms of a collective agreement. Similarly a human resources professional may need admin authority over her workstation due to the confidential personal and labour relations information that is stored there. Each request must be evaluated on the basis of need, taking into account not just corporate or departmental policy but also legislation and contractual obligations. A serious legal exposure could be created when policy does not allow for evaluation on a case by case basis. On the other hand, just because someone says “I’m higher up than you so you have to listen to me,” does not automatically mean that you have to risk your own job by violating a clearly stated policy. The issue should be referred to someone in higher autthority. Keep written records of all discussions and print hardcopys of all communications on the matter. Cover yourself by using due dilegence, by asking for a second opinion from your own boss and under no circumstances allow your personal feelings to enter into the discussion. Accountability is the key. It’s just good business!

    • #2731607

      admin rights for executives?

      by michael_52_jessett ·

      In reply to admin rights for executives?

      This is my idea for you:
      I agree with the idea that a face to face meeting with the policy manual right there with your boss and his and explain to him that these policies are there for a reason then do the following.

      1. Provide an itemized bill showing the VP exactly how much it would cost him to repair the problem(s) he created through his mistakes.

      2. Tell him that he must pay for those mistakes from his own pocket, not the company’s account.
      This should hopefully make him think very hard about the potential out of pocket cost if he messes up.

      Like the others in this discussion, there is a major security concern with unauthorised software, copied or unlicensed. The downloading of software from the internet, specifically any peer to peer software which could allow anyone outside the company to look at, modify or steal company data. Explain to the VP that he would be held legally responsible for said attack with the possibility of being finacially responsible for said breach.

    • #2731606

      Reply To: admin rights for executives?

      by nd_it ·

      In reply to admin rights for executives?

      I believe that policies are made for a reason, checks and balances. I don’t feel the IT department is lazy implementing such policies, but it does protect everyone one in the company to ensure data and equipment protection. You are always going to have some ego-managers that think that they have an a piece of paper that they can request such riduculous things. Policies should be stated and implemented as soon as a employess, IT, Management or otherwise.

    • #2731605

      Reply To: admin rights for executives?

      by nd_it ·

      In reply to admin rights for executives?

      Good managers should and need to understand why the policies are in place for all departments, not just IT, and should be in support of the policies departments setup. If there is a disagreement, everyone should discuss those issues. However, you always have some power tripping manager who thinks they can go over anyone anytime they feel like it.

    • #2731602

      Odd occasions

      by oz_media ·

      In reply to admin rights for executives?

      I have one client who’s sales manager USED to be their net admin, he knows SOME stuff but also knows what not to get into, therefore he has admin rights (remember, it’s NOT MY NETWORK, it belongs to the company). I had cleared his want for rights with HIS boss and also explained it MAY be a problem but he assured me it was ok to give him the rights. Remember, these guys are responsible enough that if they demand admin rights and then screw up the network, it isn’t my fault, the company owns the network and simply pays me to fix it. If I submit too many bills for fixing up some managers problems, HIS boss will talk to him about it.

      In your case, I assume by wannabe, you are referring to his network knowledge. For some reason, ANYONE, regardless of experiecne, that is not hired directly to handle a position is considered a wannabe. I find many IT staff have their heads in the clouds most of the time when it comes to their importance to the company wheras in reality anyone can be replaced in a heartbeat, don’t think you can’t because you can.

      So what I’m getting at here, the bottom line, is that no matter how important you feel you are, a VP will do as he chooses and you are simply paid to accomdoate him. You can suggest that it is not a good idea to have loose access policies bvut in essence, if the SVP decided to purposely screw up the network and create two weeks work for you, that’s his choice and you simply have to do the work you are being paid to do.

      If YOUR boss wonders why all this is screwed up, you just have to say, the SVP insisted on having full access rights despite your recommendations not to. You are now off the hook.

      No matter what gets screwed up, it just keeps you busy, you get paid by the company to keep things going and if they die to fix them. I don’t see why this issue comes up ALL THE TIME here.

      IT STAFF ARE SIMPLY EMPLOYEES, don’t forget your role and remember that it’s just a job and you get paid to turn up and keep it going. If you don’t like it, there are MILIONS of MSCE’s waiting to step in and take over. IT staff, salesmen, janitorial staff, shipping staff, production staff it is ALL THE SAME. You are an employee that is paid to perform a job, if your job ALSO entails decidig WHO gets what access rights and you are concerned, relay you rconcerns to the powers that be and see what their response is. If they say go ahead, then do it. If it costs the company money, it’s THEIR headache and not yours. I see so many people trying to accept responsibilities as if the network is their own or the users are all idiots (which I agree many are).

      Worst case scenario, this guy is gonna bring you some overtime so you can buy the wife dinner and a new dress.

      • #2731582

        How many hours do you work?

        by ctdak ·

        In reply to Odd occasions

        This comment is idealistic, simplistic and maybe naive. I can only assume that your company has more IT staff than most. Most IT depts are understaffed and overrun with work. It’s not just a matter of being paid to fix users’s screw ups or of getting paid for overtime. IT has to have network-protective policies in place to help insure their staff can keep their sanity and have a life outside of work.

        In my experience it’s also true that most IT people, especially managers, take some “ownership” of the company’s network, which is a positive thing for the company. It may not be the IT deptartment’s network, but the company should be glad if they treat it that way.

        As long as upper management is educated regarding in-house security concerns and is behind their IT dept, then NO exec needs to be given Admin rights.

        • #2731526

          Man are you ever way off base!

          by oz_media ·

          In reply to How many hours do you work?

          Well I work from Home as a remote admin for two clients. They have NO IN HOUSE IT STAFF, as a Netware engineer I am their only admin but as I have said before, Neware = less servers and far less staff. If these companies were still in a MS environmet, they would need a dozen techs and four more servers.

          One is a major grocery store that has locations all over BC, the other is a law firm.

          So NO you can’t assume that MY company has more staff than most. In fact the company’s that hire me have ONE IT member for all servers and VoIP PBX’s across their locations. I designed, coordinated the inastall and manage their VoIP PBX’s, all telecom services and Newtworks, mainly from home but with site visits for hardware stuff as needed. It’s like being the Maytag man though, you have to dig deep to find work to perform.

          In short, your analogy (as you call it an assumption) is WAY off base, in fact not even close. Phew, good thing you aren’t in charge of your company’s business strategies, your assumptions and foresight need a lot of work.

          As for company policies, they only reach as far as those who they are focused on, generaly the grunts. You’ll learn over time that CO’s and VP’s will do as they choose when they choose and it is none of your business. Again this is another reason why I wouldn’t work for anyone other than myself.

    • #2731601

      Good Opertunity

      by fcleroux ·

      In reply to admin rights for executives?

      Easy, just demand that you should have the right to make any financial business decision even if its not related to IT! After you get a quick NO. Ask why?? He’ll probably quickly realise why he shouldn’t have admin rights.

    • #2731580

      No admin rights for users on network

      by elama ·

      In reply to admin rights for executives?

      My county has a computer policy, and every employee, regardless of their position, MUST sign it. In the policy it clearly states that only IT has administrative rights on our domain. Experience has demonstrated time and again that an employees will add software that sounds good in theory, but in actuality are simply headaches. Your new VP sounds like he’s in that category.

    • #2731579

      No Admin Rights for Executives

      by socal_it_director ·

      In reply to admin rights for executives?

      No, We don’t.

      Admin rights presume, among other things, that a user desires to install software. If it’s company issued, supported, and expensed; that includes any software that is placed on it, too.

      If an exec has a business reason for something else to be installed, then that’s possible. And in those cases, you may/may not grant the company licensing, installing, and supporting the app depending on you’re wishes and how much stink it’ll raise. But I say, stick to your guns and keep those instances low or non-existent.

    • #2731578

      Admin Rights to Exec’s

      by joew ·

      In reply to admin rights for executives?

      The solution that I have used in the past that works with demaning Exec’s, is you give the Exec’s ‘Read Only’ access to the network, and you set up your policy so that they cannot copy sensitive files off of the network. With ‘Read Only’ you have no fear of them changing anything and with no copy, they cannot take anything out of the office.

    • #2731558

      Reply To: admin rights for executives?

      by nd_it ·

      In reply to admin rights for executives?

      Most execs that I have seen in this company only care about one application: e-mail. As long as they are able to communicate using e-mail from the office, home, hotel, etc. The only other type of software most require is MS Office or some other kind of work processor or spreadsheet software. It’s the other workers’ that I fear, engineers especially because they think they are technical savvy and can load and troubleshoot software on their own.

      • #2731555

        right there with ya

        by david.planchon ·

        In reply to Reply To: admin rights for executives?

        Execs don’t mess around their workload is insane most of the time, they know, truly, how time consuming a downed pc is to them.
        I fear engineers the most, they tinker, toy, test and push to the limits everything they encounter.

      • #2731556

        What’s really funny…

        by nd_it ·

        In reply to Reply To: admin rights for executives?

        Is that most people think that a engineer is a pretty highly educated person, but when I get a phone call from one who is having trouble with a presentation, I find out they don’t know how to get the image from the laptop to the projector! NICE!

    • #2731538

      The Boss is Right!

      by newby7718 ·

      In reply to admin rights for executives?

      Two rules of business”
      1. The boss is right.
      2. See rule number 1.

      An executive has earned the right (or at least, has been given the right) to be boss. Whatever that executive needs should be one of your top priorities (even if it is wrong)… unless you can prove otherwise without upsetting the boss.

      As an IT professional, you should be able to devise backup and access rights that prevent “ANY” user (or hacker) from destroying critical systems and data.

      Sure the exec can be given admin rights to their own system, but Standardization, Backup, Training, Redundancy, Disaster Recovery, and Policy Exception options should in place to protect users from themselves, instead of the “hard nose” tactics that keep Executives from “owning” their system.

      IT is a Service Organization! As an IT Professional you should provide “SERVICE” to any employee that qualifies for your services.

      As an IT manager, my techies were required to fix, or replace an Executive’s system within 20 minutes from the time it was reported. The methods mentioned above allowed us to do just that and “good service” gave us the confidence and respect of the Executives. They were our friends … not our enemies.

      After all … the Executives are the one making the big bucks and policy decisions. They also control the IT budgets and your destiny at work.

      Look at it this way: If it is EASY for you, you are probably making it more difficult for the users. Make it EASY for the users … then you are doing your job as an IT Professional.

    • #2731536

      Executive admin rights vs. I.T. policy

      by samc-sysadmin ·

      In reply to admin rights for executives?

      This is a difficult (but fairly common) situation in the corporate workplace. You are right to try to hold to your existing I.T. policy for all corporate staff – REGARDLESS of their rank or position. Occasionally, executive privelege has managed to override I.T. policy in corporations that I have worked for. When that has happened, our department managed to get a SIGNED agreement from the executive that he accepted full liability for his data and operating system and any / all subsequent support problems would be queued / handled through the basic helpdesk system with NO SPECIAL PRIORITY. Furthermore, any non-standard installations or repairs would be directly billed to the executive (not the I.T.) budget. Essentially, we told the execs that they were stepping outside the I.T. department’s ability to support his system in a timely and properly budgeted manner and that s/he would have to accept full responsibility for that privelege. Many execs, when facing the situation in that manner, will back off into corporate compliance. A few that I recall decided to “go it alone” soon gave up after a few bad experiences with trying to “outsource” their corporately customized configurations to an unfamiliar consultant or repair shop. Good luck …

    • #2731484

      The High and mighties

      by ejennings ·

      In reply to admin rights for executives?

      Sure give him admin rights for his pc. Take him to the users account and show Mr. Big, look sir you are an administrator. Make him feel important. Restrict him on the server side.Restrict him with group policies and local polices. Definately do not make him part of the administrators group on the server.

    • #2731456

      OK lets look at it this way

      by oz_media ·

      In reply to admin rights for executives?

      I am the Sr.VP of the company that employes you. I ask you to do something and you raise an eyebrow.

      You sir need to go home and pick up a paper so you can find work, I’ll have your separation papers ready in the morning.

      • #2735522

        Another look

        by jamesrl ·

        In reply to OK lets look at it this way

        I am the president of the company that employees you. A set of corporate policies was created by me and those who work for me. You sir took it upon yourself to ignore those policies in the instance of Senior VP X. You didn’t consult anyone.

        You need to go home and pick up the paper, because you knew the rules and chose not to follow them. I will have your separation papers in the morning.

        I have seen that scenario play out. Bet you big time that Senior VP gets a mild slap on the wrist, and employee gets the short end of the stick. Senior VP will not stand up for IT person. Especially if something blows up big time.

        James

    • #2731449

      There is a noose here, question is, will it be on his neck or yours?

      by mdp716 ·

      In reply to admin rights for executives?

      If you are in a big corporation you can easily claim that you are only following rules. However, you should cover your back and have your supervisor take the issue up the chain to someone that is this guy’s peer or better and get an answer after that person has been given the facts as well as the caveats from a legal perspective, etc. Let them decide the issue, you will get paid the same whether he is a local admin to his laptop or not, but if you are the one that decides he can’t have the rights and you don’t cover your back then you will still get paid the same, only now it will be $0.00.

      I work in a smaller company and I pretty much set the rules as the Director of I.S. but if one of the owners wants to do something on his computer that he can’t I give him what he wants and if it is a danger I make sure that he understands what that danger is. But generally I try to only give them enough rights to do what they want to do.

      For the most part no one has even Power User rights, all used to when I came on board but since rebuilding the shambles into a real network and locking the important things down the problems have become much smaller and less frequent than they used to be.

      Laptops are different, only the President and the owners have them and they have a username to use to get admin rights if they want, but are advised not to use it except to set up printers, etc. and I encourage this by making the password very difficult to type for the admin rights user. These folks are lazy and will use the account that is easy for them to use.

      One owner has “blown up” his laptop at least three times in the past year, each time telling me the laptop is junk and to buy him a new one. Happened again early this week to the laptop that he bought (told Best Buy to sell him the best they had) because he was too impatient to wait as that last laptop got “blown up” on a Friday night. Currently the “new” laptop he was given yesterday is actually the same one he had before the one he just “blew up” but has since been FDISKed and reloaded and I get a good laugh everytime I think about him telling me today how much faster and better this “new” one is than any of the others. I secretly wonder if I could give him an etch-a-sketch like Dilbert gave his boss (smile).

    • #2731447

      Give Examples

      by mikeapostol ·

      In reply to admin rights for executives?

      The owner of my company does not demand administration rights, but asked for them recently. I gave him 10 situations from his past where he would have cost himself tens of thousands of dollars as a result. He has also proven he can not abide by policy, so if I gave it to him with him promising not to use it or stay logged in with it in User mode, I know he would.

      The way I approach it is if you want me to remain your IT guy, absolutely nobody except a Professional will have that password. He tried to uninstall Spyware protection two weeks ago thinking it was Spyware but couldn’t due to his Domain User account. Thank God! I could go on and on and on with example after example of idiocy, translating it to costs and downtime. This is what I do when he or one of his “Directors” broach the subject.

      The day they have the Administrator password will be the day I leave.

      • #2731435

        Addendum

        by mikeapostol ·

        In reply to Give Examples

        I think there are many other ways of giving a user what they need without giving them a Local or Domain Administrator account. I don’t have time right now to go into them, but Group Policy, OU’s, Security Templates, etc are what I would use to address a business need. If there was a strong business argument for a specific user to have elevated rights/permissions/etc, I would try to deal with it by using a Security Group. I would never, ever, give a “User” Local or Domain Administrative rights unless they were an Administrator themselves with formal training and experience as well as need for Delegation. I have wasted too much time as a direct result of this to really ever consider it an effective approach.

        • #2731429

          I understand what you’re saying.

          by oz_media ·

          In reply to Addendum

          But if the boss wants to screw up the network, who are you to say he can’t? YOu work for HIM and HE pays you to do exactly what e asks of you, bottom line, no if’s and or buts about it, it is NOT your place to say no.

          If the boss asks for YOUR personal password and login name, you are obligated to give it to him. He who writes the checks, calls the shots, not his employees.

        • #2731425

          A higher Calling

          by jharris ·

          In reply to I understand what you’re saying.

          Oz…the horse of a different color comes to mind.

          Our top priority is to protect the data. The data pays our checks. Executives comes and they go. The data and their equipment comes back to us. We are the gatekeepers. IT policy, particular security polices are in place to protect the data, thus, securing Payroll, Gods of the check printers.

          RakeHell

        • #2731421

          Fair enough

          by oz_media ·

          In reply to A higher Calling

          Personally I would let the Senior Vice President screw it up all he liked. If he wanted to take a baseballbat to the server I may suggest otherwise, when it all comes down to it, you are protecting his equipment and his company not yours. If he’s REALLY that much of an idiot, he’ll screw up and ultimately create more work for you, but how can you not justify time spent repairing at that point?

          I just don’t see what the big deal is really, it’s not like the shipping clerk is asking for access.

        • #2736831

          Corporate culture

          by jamesrl ·

          In reply to Fair enough

          Personally the answer to me lies in the corporate culture. Some places allow more latitude, some don’t.

          At the Fortune 100 I worked at, I was asked by a VP to take off a piece of security software off the user’s Macintosh. The software encrypted the Mac equivalent of the FAT and required a password, and of course timed out.

          But because there was a corporate policy sponsored by the CIO and signed by the president, my duty was clear. I refused. But I did it politely and suggested that it wasn’t an issue for me to decide. If the CIO was willing to grant an exception, I committed to removing the software as soon as I could. The VP was confident he would get the exception, and I gave him my extention.

          Of course, I knew how the CIO would react. When I aksed him about it a few weeks later, it was clear the VP reconsidered, and never asked for an exception to be made.

          In dealing with these kinds of issues, its often a matter of your duty to the company as a whole, not just to one individual. Unless its the owner who is making the request, not just a VP.

          James

    • #2731419

      Doing the RIGHT thing or the SMART thing

      by haveutriedrebooting ·

      In reply to admin rights for executives?

      Dealing with Executives can be very touchy.
      I support the executive staff at my company and know first hand. I feel for your situation. As I.T. Professionals we all know what the right thing is. I have worked at places where I.T. has teeth and things seem to go much smoother.
      I think the smart action in this case is as others have suggested: send the request for Admin rights up the chain of command. After all, you don’t get to pick and choose who gets them and it takes you out of the line of fire. Unfortunately the top I.T. person in my Org reports to the CFO and there have been many escalations that have not gone the proper way.
      It sounds like your Company is the same- so be prepared to carry out whatever is decided (and preferrably get it in an email in case people “forget” who authorized it). I would also suggest a good recovery plan. I try to treat the critial machines as if they were servers (spare hardware, automated backups, etc..) I ghost most of the critical executive machines every other week as access permits and this has saved time/money for all involved. As the front person representing I.T. to our executive staff I feel providing the best level of service as well as being honest about your work will earn you respect and trust. There will always be the primadonna’s and Egomaniac’s but overall I have worked with some top notch professionals. You will always lose in a battle with your bosses, bosses, bosses, boss- even if you are right!
      Just my 2cents worth.

      • #2736910

        Simple Solution

        by druidpromo ·

        In reply to Doing the RIGHT thing or the SMART thing

        It’s a losing battle but you have to protect yourself, give him the rights, document it and get it signed off by your superior when the crap hits the fan on the laptop sort the problem out and trust me after a few times every exec gets fed up with the “power” of being an admin..that’s my experience, play the up the restore procedure after he messes it up the first time, talk about the “complications” even though you will get it fixed, you’ll see he’ll think twice about messing with administrator privelidges, it’s just a power thing for them they really don’t mess with it after a while….but in retrospect being a consultant myself there are times execs need that privelidge when they are off sit to install an app or connect to a network…so let them play with it but like all kids the toy gets thrown to the side eventually…

    • #2736900

      Pls try this

      by amitdkulkarni ·

      In reply to admin rights for executives?

      Hi,
      if u r using Domain policies, then Pls go to ur Administrative tools, Active Directory Users & Computers. In this section got to user section. U will find a user entry as Default OU policy deny.
      Add the computer’s entry into the Member section.
      Then go to Worstation section & select the computer name u entered in the previous stage.
      Here right click on the name & go to manage.
      In the manage option, add the user to the administrators group. restart the pc & ur problem is been solved.

      Generally we don’t give these rights to the users using pcs,but in case of laptop users, yes sometimes we have to be flexible.But the user’s admin rights r limited to his pc only. So there is no problem in going for the option. After all it’s ur decision in the end.

    • #2736885

      Talk to the big cheese and explain why.

      by tom.flowers ·

      In reply to admin rights for executives?

      I have found over the years that if you sit down and build a case on why they shouldn’t have access and then talk to the VP who says they need it and explain why. If this doesn’t resolve the problem explain that this is a company policy that if changed for one person could cause harm. If that doesn’t work go over his head.

    • #2736845

      Segment the rights!!

      by samh_ ·

      In reply to admin rights for executives?

      Laptop users often need the ability to configure communication devices (modem,network,firewall,…) when travelling.

      Giving them admin right is dangerous because they are more likely to be attacked while not in their secured office.

      I would create them a local administrator on the PC that will allow them to do any change (they could even ‘run-as’).
      As this admin is local to the PC, it won’t have access to the network, reducing incidence.

      This is not the ideal solution, but I find it better than giving local admin right on a domain user.

    • #2736828

      Sr.VP and pc Admin

      by rayg314 ·

      In reply to admin rights for executives?

      1) I’d have this new senior VP get at least one higher-up to approve the request.

      2) I would not give the Admin-wannabe the Administrator account and password.

      3) See if you can determine specifically what he’s trying to do, and enable just those authorities.

    • #2736726

      Controlling destiny a GREAT idea!

      by gawiman ·

      In reply to admin rights for executives?

      >>he insists on having admin rights to his W2K laptop because he needs to “control his own destiny on the computer” pfft…

      Don’t be so hard on him! In fact, he should carry this philosophy over to other areas of his life. He should insist on piloting every airplane he gets into, so he can “control his destiny in the air.” (instead of leaving that little chore to someone designated by the airline, for his own safety and that of others.)

      He should go into the kitchen of every restaurant, elbow aside the cook, and “control his destiny at the table.” And we haven’t even thought about installing his own furnace, air conditioning, or acting as his own attorney so he can control his own destiny in the courtroom.

      We depend far too much on people who know what they’re doing and have been duly appointed to perform their expert tasks. Why not have chaos and anarchy instead? I’m sure it would make things more interesting.

      (Ironically, that would result in LESS control of our own destiny as we waste time and resources fixing stuff we could have been using to do whatever creative thing was on our agenda…)

    • #2736706

      Admin Rights

      by mstevenson35 ·

      In reply to admin rights for executives?

      Give him Admin rights: but first require him to obtain the same certifications and training that you other I.T. people have who hold desktop admin rights. This preserves your policy and you have not Denied his request

    • #2736638

      If he really wants acces, you can try this.

      by floris_vermeir_77 ·

      In reply to admin rights for executives?

      It would not give him the acces rights, as in most cases he does not need them, and as said before by otheres this is just aego thing.

      If he really wants them then the best way to do that, would be to write a explicit policy/procedure for enlarging executive rights, that stipulates exactely waht the consequences can be of misuses.

      He should be made aware, be explained and read and sign a document that explains him what the code of conduct is for laptop users, what his responsibilitys are as a exutive. Regarding the physical safety of the laptop, the backing up of any data, following standarised procedures. It is most importantly that he signs this. Then best would also be to check this with HR, and let them explain him what the sanctions will be of misuses or not good care.

      I would not give him excutive support, as you might then end up with on person of your support team mainly supporting that person.

      One other alternative would be to let him sign a kind of contract, that explains the levels of priority of probelms (service level agreement), and gives him a certain time like kind of expected monthal support time. You can then adjust this to his needs, but you can also use it show him that e.g. he recquires exesive support times, and that he should stop playing with his laptop but use it for work.

      The reason I wrote previously that you might have to talk this over with HR first, is that from personal experience I know that data is not always fully backed up, password are not kept secret, laptops are not taken care of in the way they should be…. It might be necessary to remind him or include it one of the above papers that laptops cost money, that if he loses any data because he didn’t back it up or followed the procedure it his fault and he is responsable for it… and if this happens regulary, it might be necessary to check if its not better to give him a desktop. Or let him follow computer training together with other people of the company.

      He should be made aware that with a higher title comes a higher responsability, and if he really wants the rights he can have them. But if I was him, I’d go for normal user rights, thats a lot less fuss.

      This way, he knows what is expected of him, he has signed and agreed on it, and you are covered.

      My vision for support is that one should try to prevent problems from happening, and calls from happening, and that one should if problems do arise (and they will) they should be dealt with in a proactive way. Communication should be clear, and standarised.

      But hey, I shouldn’t be telling you this, you already know this, you wouldn’t be on thech republic otherwise.

      hope this was of any help.

      • #2735570

        a appology

        by floris_vermeir_77 ·

        In reply to If he really wants acces, you can try this.

        I wanted to appologize for this part of the previous post:

        ” But hey, I shouldn’t be telling you this, you already know this, you wouldn’t be on thech republic otherwise. ”

        I don’t know everything, nor will I ever know everything or do I expect anybody else to do so. Most of the novel ways to deal with support issues i learned by reading some of the wite papers on this website, as well as looking trough a lot of the files in the download section.

        And often I learned how to do things more effectively, by doing them wrongly or messing things up, and not to forget, by listening to colleagues, and people with more experience.

      • #2735568

        a bit more explenation

        by floris_vermeir_77 ·

        In reply to If he really wants acces, you can try this.

        When I wrote about the time quota, I meant that if previous monitering has already been done, one could unofficially for the first couple of months appoint a certain amount of time (expected support time) to a new person.

        This could then be used to see how many times he/she calls, wich questions, and what can be done to diminish his number of calls:

        – does he need more basic training ?
        – does he need to be made aware that he is not the only user with problems ?
        – shoudl he be informed that a pc is to work on not to play with ?
        – and so on

        using this one could personalise the It support experience, and by using principles from closed loop marketing, this could be adjusted, to to this as effectivley as possible:

        – how is the current status,
        – who is uneasy or has a negative look at support,
        – what would he like,
        – is this affordable/ within procedures
        – what can we do to change this persons view/ expirence of it support
        – what will/could be the result of this
        – is he worth it,
        – the change is made wath is the result now, back to the beginning

        this will allow you to have users who have a more positive look of it support (and hopefully some appreciation of the job you do, wich is always welcome)

        its a bit like internal marketing, you can also react proactively, and the users will be made aware that It is there to help them to there work.
        You could even use this to find out who needs training, and to tailor that training. Of course there will always be people with whome this does not work.

        One thing I used personally whas the welcome letter, that explained the most important basic things a user has to know (you can find it on the downloads section), as well as giving a name to the tech departement. I wanted to enlarge this, so it would also include references to training material, initail training courses and follow up by the it departement as well as the local office.

        if you want to know anything more, just ask, i’ll answer if i know the answer, otherwise i’ll just be honest and say that i don’t know

    • #2736582

      Make him sign a waiver

      by qwerty2 ·

      In reply to admin rights for executives?

      What we do is make the person sign a waiver granting him admin rights. On the waiver, state something like this:

      You have chosen to receive admin rights to your pc. Please keep in mind that you will be more suceptible to viruses, spyware, trojans and system crashes…etc. By signing this waiver, you understand the risks of having admin rights to your machine…IT will continue to support your machine however you abolish all liability to IT in case of system crahses or data loss…

      blah blah blah…worked for us.

    • #2731409

      Yes, admin rights to executive with careful

      by eduardo.victorio ·

      In reply to admin rights for executives?

      The problem is not give admin rights to an executive into the organization, the real problem is when the user make changes to his computer and this changes make the computer get damaged and then its come with more things to be worried for the It department. I think is good give admin rights to this kind of executives, but with careful, the IT department should have good restore best practices for this cases.

    • #2731271

      Try this response

      by vickthevicking ·

      In reply to admin rights for executives?

      Hi Dumb User

      I understand your query regarding security restrictions, it can be a bit of a pain initially, although I am sure you can appreciate the huge task the support team has managing hundreds of different PC’s, Servers and Laptops. We have found maintaining the integrity of the operating system goes someway to assist both the end user and support team.

      If you find you need to install additional software or devices please feel free to request this through helpdesk@mycompany.com and the team will be more than happy to assist where possible.

      Thanks
      J Doe

    • #2731134

      Depends. . .

      by boomslang ·

      In reply to admin rights for executives?

      If your boss has the political clout, and your company takes security seriously, no admin rights.

      If your company is stupid, give the executives what they want. These companies like “Yes” men despite whatever they tell you and you are merely the puny little pebble in their shoe that will be crushed anyway. Prepare to be Enroned.

    • #2690483

      admin rights for executives

      by dragon_lady ·

      In reply to admin rights for executives?

      We do NOT usually allow executives administrative rights on their laptops, but have made a few exceptions for the top executives, i.e. Lt. Governor and CEO, to have admin rights over their “local” account only on their stand-alone laptops. They travel extensively throughout the world and from time to time have needed to install something in order to be productive. It’s a lot easier, and safer, to do it this way than walk them through over a cell phone logging on as administrator. We’ve not had a problem (yet) with this practice. However, we weigh each request carefully. These execs understand they run the risk that their laptops could need formatting if we determine it poses a security risk from anything they’ve done by having those rights.

    • #2690392

      Exec Priviledge for what?

      by louindc ·

      In reply to admin rights for executives?

      I can identify with both sides. I am in a development shop; developing and testing new apps all the time. I have systems admin duties but no network admin rights. Our CIO does not like my division so we don’t get them. Everytime I need to upgrade etc, we are told to call the help desk.

      If the “helpless desk” had a clue half the time, I would not need to “borrow” admin priviledges from others to get things accomplished.

      So, my answer to your discussion is… it depends on how good your services are. Sometimes, some of us do need to “control our own destiny”.

      louindc@yahoo.com

    • #2735191

      It is a matter of communication

      by nperez ·

      In reply to admin rights for executives?

      This kind of situations are lived as a confrontation related to who is in command.

      The notebook is feeled as personal property and that is why some execs are reluctant to be commanded on it.

      It is key to handle policiy distribution and communication along all users properly.

      To fight this on all hierarchi levels, at the time when we deliver a notebook to a user, we make him sign a “Assingment PC Form” where it is stated that he is receiving PC Serial number #### with the following SW installed to be use as a tool to perform his work to the Company.
      In this note there is a reminder of some key sentences extracted from policies, with the items that we want to leverage on based on the culture of each particular organization (i.e. user is not allowed to install software without autothorization from IS, or it is not allowed to use software without its proper license. A password change policy could fit here too, and any other we want to leverage on).
      The intention is to mention as least and key reminders as possible.

      Later on, during a discussion, this Note signed by the user could be invoked as an external factor, avoiding confrontation.

      If the exec insist, he will know that if he scalate the problem, he will find this signed note in his path.

      Nicol?s Perez de Arenaza.
      nperez@iredix.com

    • #3368412

      rights for laptops only

      by mmahon ·

      In reply to admin rights for executives?

      Company policy should facilitate the ease of doing business, not impede it.
      Our company’s policy is allowing admin rights to laptop users only, because the sales and service people travel worldwide and need to load software and change settings in the field to do their jobs.

    • #3367848

      Use caution

      by jeffrey.schneider ·

      In reply to admin rights for executives?

      We have certain people in our organization that has Admin rights on their machines. However, it is a strictly “need to have” condition depending on their job function. We also had a whole technically inclined division that had Admin rights, and lost them due to abuse of our policies. I say figure out exactly why he wants Admin rights (software installs, Windows tweaking etc…) and decide from there.

    • #2723376

      Putting Executives in Policy Asylums

      by jpivonka9 ·

      In reply to admin rights for executives?

      Erving Goffman’s magisterial work “Asylums” describes the consequences to the personality of being placed in the care of “keepers” in an asylum like institution – prisoner, hospital or mental patient, or, in the 21st century, Info Systems policy gaol.

      Some executives may be comfortable with, that is feel no sense of dissonance between being a dependant in the context of their use of information technology and an independant and authoritative actor in the rest of their work responsibilities. But I doubt many of them will be.

      It is not executives who have responsibility for providing a business case for control over the tools used in their work. Rather, it is the responsibility of information systems organizations to provide the business case for circumscribing that control, when there is one.

      Efforts by IS organizations to exert such control, in the absence of having demonstrated and gained deep acceptance of its business relevance and benefits, will not contribute to the overall ability of IS to support organizational goals, nor will they increase the perceived competance or job security of IS staff.

      If you have not been around that long, find someone who can bring you up to speed on the fate of the “Data Processing” staffs of the seventies and eighties who failed to respond to their organizations need for increased control over information technology by line organizations and executives. Then match that to the degree of control over those line orgs and execs being advocated by IS in your organization.

    • #2735840

      RFSC – Revisit your policies, they are incomplete

      by fjeanbart ·

      In reply to admin rights for executives?

      Something is missing in your policy: the provision (procedures) for distinct cases which could go against current policies. Such a clause MUST be integrated, as any policy is prone to encounter valid exceptions: NOTHING is just plain black and white, as for life itself (the only black-and-white rule of life is that either you’re alive, either you’re dead, the rest is about dealing with other beings)!

      As such I would promote a policy that is opened for modifications from time to time, as events or structural modificatins occurs. Your policy needs to be able to survive business cycles (structural, functional, etc.), and as such to have a life cycle for itself! As such, your policy MUST provide some mean for adapting itself (and to clearly document such changes, with memos and other official forms, like an RFSC – Request for Security Change)

    • #2735826

      A VP is rich enough to buy a computer for himself

      by fjeanbart ·

      In reply to admin rights for executives?

      If you whish to stick to your policies, just tell the guy to go fetch a computer of his own. That way, his activities with Bonzy buddy, games, Kazaa, porn stuff, etc., won’t have any impact on corporate assets (including his “personal” corporate laptop/workbook).

    • #2735799

      What Rights?!?

      by garciainkc ·

      In reply to admin rights for executives?

      Just because he is a v.p. doesn’t give him any rights. Policies are set to keep those individuals out that may cause damage and cost company time and money. He will have to abide by those polices whether he likes it or not. If he wants his own administrative rights, he can find a job elsewhere that will allow him to do this. Stand your ground. We do have this problem where I work at and we have to safeguard all of our administrative passwords and user rights. If you’d like, I could tell him, LOL.

    • #2725528

      Use your corporate policy to say “no”

      by usersend ·

      In reply to admin rights for executives?

      I have run into this situation far too many times. I have worked my way up from tech to CIO and it seems all companies have this guy….or is it the same guy? Anyway, do you hae any policies that define supported software? If so, this would be the first road to go down. If you make sure that all of the software your policies require for your company are installed and accessable then he need not have access as an admin. Also, do you have a testing policy? I require users to submit software and appropriate software licenses to our IT department for testing (compatability) and approval before use. Can the software that the person wants to use be secured using your common methods, can it be updated using the avenues already in place, how much support will it require? Also, dont forget, giving someone Admin or Power User rights also lets back doors in your security become wide open. Having regular user rights will derail (HTML) POP UP installations from the Web, a good number of viruses will be thwarted without Admin priv’s. Without writing a book I think you see the road I am going down here.
      DO NOT TELL HIM NO, this will just incite a show of power, just work within the constraints of policies set up by either your corporate officers or Network Admin etcetera. Good luck!

    • #2725527

      Use your corporate policy to say “no”

      by usersend ·

      In reply to admin rights for executives?

      I have run into this situation far too many times. I have worked my way up from tech to CIO and it seems all companies have this guy….or is it the same guy? Anyway, do you hae any policies that define supported software? If so, this would be the first road to go down. If you make sure that all of the software your policies require for your company are installed and accessable then he need not have access as an admin. Also, do you have a testing policy? I require users to submit software and appropriate software licenses to our IT department for testing (compatability) and approval before use. Can the software that the person wants to use be secured using your common methods, can it be updated using the avenues already in place, how much support will it require? Also, dont forget, giving someone Admin or Power User rights also lets back doors in your security become wide open. Having regular user rights will derail (HTML) POP UP installations from the Web, a good number of viruses will be thwarted without Admin priv’s. Without writing a book I think you see the road I am going down here.
      DO NOT TELL HIM NO, this will just incite a show of power, just work within the constraints of policies set up by either your corporate officers or Network Admin etcetera. Good luck!

    • #2726444

      What’s The Big Deal?

      by dmwoodcock ·

      In reply to admin rights for executives?

      It should not be a decision for an IT Admin to decide whether to grant or not grant admin rights to anything unless he is the one signing the paychecks. Corporate policy should dictate when and under what circumstances admin rights are necessary. If you don’t have one then it would be a good idea to have one drafted up and ran by legal. This way you can focus on running the systems and networks and let the VP deal with Legal on why he needs admin rights and a change to corporate policy. R/David

    • #2726379

      Could go either way

      by blueknight ·

      In reply to admin rights for executives?

      If the exec wants to be an IT tech, why did he become VP? Presuming the policy came from higher up than he, refer him to the exec who established the policy.

      In our shop, we started out with everyone having admin rights on their own machines (not the network). Then we got new machines and new OS versions, so our support group took away admin rights to make their life easier. Apparently it didn’t.

      Currently, most users (not all) have admin rights on their own machines. The understanding is that if they do anything that “breaks” the PC, the support group will drop a new image on it and that’s that. If you lose files etc., too bad.
      If push comes to shove over the issue, you might consider taking this approach.

    • #2699457

      Sarbanes Oxley is the bottom line

      by rhaas ·

      In reply to admin rights for executives?

      Like it or not, S-Ox is becoming a mandatory part of IT policy of any public corporation, and most executives already know this. Any executive who wants to keep his/her job is not going to request access he/she shouldn’t have for much longer. It will make for easier administration in the long run, but it’s very difficult (politically and otherwise) to back out users’ existing rights on applications, data, and hardware.

    • #2721293

      no!

      by rgarback ·

      In reply to admin rights for executives?

      I’ve replied to this subject before. Policies were establshed for a reason. If a VP read the companies policy on the subject he would not put the IT dept. in this position. If he wants the policy changed let him get the ball rolling and if it ever changes, then you give the rights he’s entitled to.

    • #3307176

      No….

      by rgarback ·

      In reply to admin rights for executives?

      I’ve replied to this before. Policies are there for a reason. If an Exec. wants to change the policy then that person should take the steps to do so. It’s situations like this that create internal IT problems and even an Exec. shouldn’t be allowed to bypass established policies. I’ve been in a similar situation and although it’s uncomfortable, stand up and deal with it. When the dust settles you will have nothing to worry about…..

    • #3307425

      Hold the line!

      by akalich ·

      In reply to admin rights for executives?

      You’re IT the professional, he’s the whatever he is…. These kind need to put aside ego and look at what’s good for the company, i.e. lower cost of owenership, stable IT systems, etc etc. If he wants to play IT guy, he can do it on his home system. We dealt with that in my former company and after the initial protests – which were put down by our president – people came around.

    • #3309098

      Not only NO, but…….

      by pga2 ·

      In reply to admin rights for executives?

      I used to work for a large defense contractor. The IT staff would not allow this type of thing, ever. After I transferred to the computer (laptop) and printer manufacturing division, the answer was always the same, NO. If the exec ever insisted, he was told in no uncertain terms that this computer did NOT belong to him, that it was company property and that admin rights to his desktop were “verboten” by company policy (which was true). Fortunately, we never had to deal with these “wannabes” in any large numbers, just one or two. We did have one group that we allowed to do this, but they were led by one of our former sysadmins who left and came back and had the knowledge and expertise to do the job. She took care of the entire group and we only had to supply hardware support, which took a load off of the IT staff.
      That is the only condition under which such requests should be allowed, IMHO.

    • #3241125

      Reply To: admin rights for executives?

      by shaggysheld ·

      In reply to admin rights for executives?

      Admin rights for execs? NO Way hosay!
      They aint got a clue.

      • #3241067

        Give what ever they want

        by cybdiver1 ·

        In reply to Reply To: admin rights for executives?

        Always give those that sign your pay check or that influence your employment what ever they want. Document everything they screw up, and how long it took you to fix it. Save their butts over and over again and you get free tickets to your favorite sports events. You get raises, comp days, and loads of tech toys.

        Make a ghost copy of their PC, make sure daily backups of the data are performed. Keep their email on the server and only a copy on the local PC and let them go hog wild.
        I can restore my execs in less than a half hour, but I usually drag it on all morning so they understand how much of pain in the ass they have been. Look at all that spyware you downloaded! oh my gosh thats going to take about half a day to remove. Would you like to use the company loaner laptop? I just blow the dust off that PII with 128MB. Heheheh. It should boot up by this afternoon.

        Think of your self as the doctor of the PC world. You ate a Big Mac? Oh man are your arteries clogged! Your gonna need some bypass surgery and I need a new car!

        A really good exec is too busy to screw up a computer, and you won’t get a rasie from them. Find the screw ups, watch them come and go. Protect those that really run the company.

        The best techs I know, are busy posting stuff here because we have so much free time because our systems are up and running.

        If you see the Techs running, then you know something is wrong with the network.

        • #3180546

          Best Advice EVER!!!

          by Anonymous ·

          In reply to Give what ever they want

          Finally! Someone who get’s the point of IT support. KEEP THE BOSS HAPPY! Awesome advice! The way you go about it is professional, your methods are well thought out and through. The boss is happy, the systems keep working and so do you.

          Great business acumen.

    • #3239374

      Thin end of the wedge

      by paul_nanay ·

      In reply to admin rights for executives?

      Giving admin right to one individual will start a rush for similar rights for others in the enterprise. (put on your whiniest voice) “He’s got admin rights, why don’t I have them”. Once started down this path, you cannot stop. It will sprial out of control and you will loose any control over your shop.

      • #3180537

        That is what this is about.. Control

        by Anonymous ·

        In reply to Thin end of the wedge

        Who gives a hoot about control. What you should want is influence! Your idea of control is only an illusion. You don’t “control” PC’s you enforce a policy made by the higher up’s. If you have influence you can help direct the nature of that policy. You get influence by being helpful to those in positions of power, NOT by annoying them.

        How can you not see that?

    • #3062324

      Been There — Done That

      by gjcooper1960 ·

      In reply to admin rights for executives?

      Had a similiar case at a large international company I worked in. IT manager agreed with me — no admin but he was a friend of the CEO!!!! Finally had to give him the rights BUT…. sign a document that he was TOTALLY responsible for the software state on the machine and his department would be paying $XXX per hour if it needed work other than software upgrades. Well — three system rebuilds later he asked for the rights to be removed — and the IT budget was a LOT healthier…

Viewing 107 reply threads