General discussion

Locked

Locking Down Users - Knowledge Needed

By tom.day ·
When I accepted my current position as NT Systems Admin three years ago, I was extremely naive about the problems users can get themselves into; and, as most of the already-existing users had been given Administrative rights to their workstations, Ididn't attempt to change that policy.
Fast forward three years.
I just did an internal audit of the software installed on workstations in my company, and the results are apalling. After discussing it with my boss and the fellow responsible for desktop support and the helpdesk, I've decided that we've got to lock down all desktops and laptops.
I'd like to collect information from those of you who have had to do this before or who work in an environement where the users have always been locked down. What increased load can I expect for my helpdesk? Is there a good way to allow laptop users to install their own printers? How do you handle screensavers (can the users pick their own)? In short, tell me everything you know, either on this forum or via email. Looking forward to a lot of responses. Thanks.

This conversation is currently closed to new comments.

74 total posts (Page 2 of 8)   Prev   01 | 02 | 03 | 04 | 05   Next
Thread display: Collapse - | Expand +

All Comments

Collapse -

Rules are rules

by jeffc In reply to Caution

I agree that policies should be enforced at the flesh-ware end. Everything about the computer and the network is the property of the company, and users should be told what's acceptable and what is not. In our company, no one installs anything exceptthe IT department. Unfortunately, that's just a policy, and difficult to enforce, but I still feel people come first.
You don't say if you have any Mac workstations on your NT network, but if you do, Mac OS 9 makes restricting user privileges very easy.

Collapse -

Management should enforce rules-not IT

by CET Geo In reply to Caution

I too was faced with the dilema of what to do about all the personal stuff dumped on users workstations. When I came to my current company they didn't even have policy and procedures in place. In creating these guidlines I was very specific in pointing out that management of workstation use is the direct responsibility of the department managers. We use a chargeback system for tracking of IT expenses and the department manager's monthly report of IT expenditures definitely shows the time and expenses spent in freeing up hard drive space or eradicating a virus due to web surfing or downloading unauthorized programs. With all I have going on in a day I don't feel it is my responsibility to police workstation usage. I do however run bi-annualsoftware audits (obviously I work for a semi-small company) and I provide abnormal findings to the department managers so they can properly manage their employees. I can't say this works as efficiently as complete lockdown but it has had an impact on workstation usage. And this way, the manager gets to be the bad guy by laying down the law and not me ;-)

Collapse -

Lockdown-best solution

by shane In reply to Caution

I do not feel that locking down systems is a detrimental step in any way to help desk support, nor do I feel users really care or follow many of the rules and regulations set upon them in an un-locked enterprise.
Even though we have locked down our NT and 95 system in a reasonable fashion in addition to strict policies, users continue to try loading unsupported software, drivers and more. With staff being so hard to come by- and often management being the culprit to these problems, I can't imagine why a standard lock-down would not be implemented.

Collapse -

IE Admin Kit can help

by Bearded_Wonder In reply to Locking Down Users - Know ...

If you don't have W2k Pro machines to support you would do well to look into the options you can deploy through the Internet Explorer Admin Kit. IEAK allows you to build a browser and bundle system and desktop policies with it during the install- then it can even automate the update process to the desktop when changes are required. (IEAK is very limited in it's ability to lock down W2k machines).

Collapse -

Lockdown opinion

by dapowers In reply to Locking Down Users - Know ...

This is not a decision to be made over coffee, nor is it enforcible when approached in that manner. The first step is to define the security policy of the organization. If this is done properly and endorsed by ALL management then the "what" shouldbe locked will define itself. You didn't provide enough info to even determine if it is possible for you (i.e..9x/NT/2000/mac). Unless you implement version control of software, standard software suites, common configuration of stations, profiles,scripts, admin helper utilities on the WS, remote admin capabilities, (just to name a few) I would expect the job of the HD to become overwhelming. Things the users were fixing on their own now become your problem. And you have no stats on how often this happens which breaks down your ability to predict the increased load on the HD.
lockdown is easy, support is what will break you if not prepared at the time of lockdown. By locking the systems you also could possibly impact the ability of auser to do their job if a technician is not available to fix something simple that previously the user could work around. There is a lot more to this than just bad software. I am for the lockdown but do it right the first time or you may not get asecond chance.

Bill

Collapse -

Needs careful Planning& testing!

by coyotech In reply to Lockdown opinion

I'm the IT manager at our very small engineering office. Everybody right now can do anything except get a virus and send jokes all over the company email. I've set it up so that when we get more employees and policies become more necessary, things are already set up, and we original people know what to expect. It needs careful planning and testing.
I have been the victim of autocratic network admin people, and it isn't good :-) One person locked all the stations down tight. You couldn't do much of anything. Unfortunately they were NT stations and the man had little knowledge of engineering and cad applications. He didn't allow a big enough swap file to open a big drawing without crashing the system. He didn't install all the standard helper programs and options, and you couldn't do anything about it. He only came once a week, and wouldn't address the problem if he didn't like you. I had work that had to get done, and couldn't do it, so I got the WINNT disk, formatted my hard drive and reinstalled my system and programs so I could work. I was off the network, of course, but at least I could get my work done. Two other people did the same thing for the same reasons. This is an extreme example on both sides, but you see my point: make sure you leave the system workable and practical for the user. I would suggest getting the cooperation of some knowlegeable users and testing out your system with them, modifying it where needed until you have a good balance of security and useablility.

Collapse -

Is every user a bad guy?

by blondie In reply to Lockdown opinion

I think most of the replies are not taking into consideration the proactive issues. When was the last time the clients were given an opportunity to do the right thing? Has anyone thought about pulling everyone together,you know...unification, and saying this is the right thing to do?

Most humans are willing to do the right thing if they are approached correctly. I forget the actual college behavioral discussion but the bottom-line is simply this...not all clients are naughty children. Most don't know how they inconvenience the overall system. Nor do they know the costs.

If the company is small to medium a proactive approach might be better than punishing all the users to benefit the righteousness of security and help desk.

I say start with the positive and then move thru to the negative. Let the clients know that you're giving them a chance to self-correct! at the same time they will know that you are checking and trying to do the right thing too!

Collapse -

Not just for "bad" people

by Packratt In reply to Is every user a bad guy?

Ok, when we talk about the uniform desktop policy and methods to prevent users from changing the desktop or installing applications it's not done just because the users are "bad".

Really, this is done to simplify the system, especially for new people and people with few computer skills. The uniform desktop policy prevents illegal installs, and keeps employees from being frustrated by the computer.

The way we have ours set up all the user does is the initial login and that's the hardest part. After the login the see a window with about 10 or so icons depending on which applications they need access to and that's it. If they want to run something, just click it. No start menu, no command lines, no install prcedures they need to follow.Easy and efficient for them, no muss no fuss for IT departments leaving us to concentrate on improving things instead of fixing things.

This isn't just for "bad" users, it's for productivity, security, and ease for the user.

Collapse -

IF you use Netware...

by Packratt In reply to Locking Down Users - Know ...

If your NT users authenticate to a Netware network then the perfect solution for you may be ZenWorks by Novell. We use it in our environment and it works wonderfully to lock down NT and other Windows flavor workstations. All we do is replace the explorer desktop with a NAL (Netware Application Launcher) desktop and all the users can run is EXACTLY what we give them permisions to run.

We creat application objects on a test machine and Zenworks records the changes and stores the application install on the network. When we assign the application to a user (or users) the icon will appear on their desktop and when they click it will install with no other action on our part. After that the application will run when they click the icon. These applications follow the user, not the machine, so if they move they still have the same desktop and settings. They can modify their desktop if you let them or you can force changes on your own from one place.

No more desktop visits, no more unlicensed software, no muss, no fuss... It made me a happy network manager!

If you are under 18 please get your parent's approval before buying. If you are over 18 please get management's approval before implementing! <wink> Good Luck!

Collapse -

Using Netware

by skhechane In reply to IF you use Netware...

I just want add that Netware will do the job wonderfully. I am working for a department that does user support for over 2000 computers some of them 1000 kilometers apart. With Zenworks you have features like remote controlling of computers that are far away.

Back to Software Forum
74 total posts (Page 2 of 8)   Prev   01 | 02 | 03 | 04 | 05   Next

Related Discussions

Related Forums