General discussion


Locking Down Users - Knowledge Needed

By ·
When I accepted my current position as NT Systems Admin three years ago, I was extremely naive about the problems users can get themselves into; and, as most of the already-existing users had been given Administrative rights to their workstations, Ididn't attempt to change that policy.
Fast forward three years.
I just did an internal audit of the software installed on workstations in my company, and the results are apalling. After discussing it with my boss and the fellow responsible for desktop support and the helpdesk, I've decided that we've got to lock down all desktops and laptops.
I'd like to collect information from those of you who have had to do this before or who work in an environement where the users have always been locked down. What increased load can I expect for my helpdesk? Is there a good way to allow laptop users to install their own printers? How do you handle screensavers (can the users pick their own)? In short, tell me everything you know, either on this forum or via email. Looking forward to a lot of responses. Thanks.

This conversation is currently closed to new comments.

74 total posts (Page 5 of 8)   Prev   03 | 04 | 05 | 06 | 07   Next
Thread display: Collapse - | Expand +

All Comments

Collapse -

Locking Down Users - Knowledge given

by cparrish In reply to Locking Down Users - Know ...


Have fun with this one. I have had to do this in the past. You can look for an increase in Help Desk calls at first, this will just help you weed out the problem children. All in all it is a wise move on your part. After the storm you will have a better feeling and a better control over your network.

Be ready for some resistance, just make sure your service levels are there. People will complain that it takes too long to get software installed when they have to wait on the Desktop team to get to them, after time that will change if your service levels pick up.

Mobile users adding thier own printers, you will need to put them in the print operators group, or the local power users group.

In this situation I would recommend management software, such as MS SMS or Novell ZEN Works. They will make your life alot easier. You can install software remotely, the Help Desk can remote control the users PC and help them there as well.

Good luck!

Collapse -

Highs and Lows of Lockdown

by sfbarnes In reply to Locking Down Users - Know ...

With the advent of increasingly user-friendly software and even hardware, users are getting bolder about installing/upgrading their own desktops or laptops. Yes, this can lead to more issues for the Help Desk or LAN Admin. As a past Admin for Netware and NT I have seen my share of user nightmares such as screensavers like AfterDark bring network performance to its knees.
Lockdowns are a bite- the- bullet solution. It takes time to work out the kinks in the profile chosen (with a lot of input from other Admins and Desktop Support), but makes life easier for all in the long run. Users get used to updates on acceptable products for use on the network coming from you and you keep a handle on consistency on the LAN/WAN. Take the plunge, lock em down!

Collapse -

Locking users down

by Dave_again In reply to Locking Down Users - Know ...

Well it's sad to say, but in most organizations users cannot be trusted to police themselves. I've run both ways and what I find is that you get FAR less calls from users who have been locked down than systems which are left open. If you are going to lock them down, lock them down HARD. In one instance I not only disabled all customization of the desktop, but actually put in the 'allowed software' rules. The only caveat with this is you have to really plan out what apps users will need to run. (ie: If you forget to put Notepad into the allowed list, it won't run.) The users WILL grumble, but it's kind of hard to make a business case for needing Solitaire on your workstation. Locking them down CAN also assist in preventing viruses. (I say can because if it's going to run apps not on the list to activate or propogate, it gets stopped then and there.) Before locking anyone down, you shold release a policy indicating what is and is not allowed on the company network, and explain that loading unauthorized software can result in administrative action.

It won't make you popular, but it will reduce helpdesk calls.

Collapse -

Lockdown experiences

by bmcgrego In reply to Locking Down Users - Know ...

I have experienced and applied desktop lockdown for over five years. Where I am not the definite expert, here is the opinion.
1. Lockdown is never a technical issue
2. Lockdown must be supported by ALL management from the CEO level downward.
3. Lockdown will initially be a cultural issue, but can be eliminated by management( see #2 above).
4. Screensavers and other desktop placebos are a no-no.
5. The excuse of " my job is unique,my software is unique," from endusers is not a technical road block for todays IT manager and staff.(see #2).Deal with it.
6. You must have an IT plan to advise users on benefit and legal reasons (software licensing eg.)to execute a desktop rollout.
7. Prepare for the next version of desktop as soon as thefirst one is rolled out.
8. Software life and desktop life is an average of three years.
9. Train your users. see #2
10. Communicate, communicate, communicate!

Collapse -

Locking Down Desktops

by gwall In reply to Locking Down Users - Know ...

Thin Client is the way to go.
You can check out this website

Collapse -

Policy Editor

by chris mckinlay In reply to Locking Down Users - Know ...

Policy Editor will let you allow or disallow a lot of the small things you mentioned (screen saver, wallpaper etc.) Expect an increase in help desk calls as well as a ton of initial fall out from the user community. Change and freedom lost are twoof the bigger factors of unrest in the end user community. Good luck.

Collapse -

limit lockdowns

by kidddarren In reply to Locking Down Users - Know ...

I have found that locking down workstations is sometimes needed for trouble Eu's. Try not to kill the moreal of the overall workforce by implimenting tough policies for your Eu's.

Collapse -

Lock'em up!!

by jefnalma In reply to Locking Down Users - Know ...


My name is Jeff Blackstock. I am an NT administrator for a command in the Navy. Most all of our workstations are locked up tighter than Fort Knox. However, Everyone with a login has internet access. This intern allows them to download things from the net. Just last week I got a call that one of the applications we use to document maintenance was not working. I was in shock when I looked at their hard drive. The available space on drive c was 1.50KB. I immediately removed all games, screensavers, and any other of the cute little attachments that they get in their e-mail. Cleaned out 640MB of junk. So, yes I am in favor of locking down systems.

AZ3(AW) Jeff Blackstock
US Navy

Collapse -

Reply to Lockdown

by Sean D. In reply to Locking Down Users - Know ...

I'm the Help Desk Admin in a user environment of over 600. If you follow through with this lock down of the network you can expect a flood of calls from the users. Atleast from my experience you will, but with a thought out explanation of why this choice was made you should find most users will understand. Send an email out to all mail users letting them know this is going to happen because if you spring it on them their more likely to react in a negative manner. I found that when our network manager made changes like the one's you've mentioned users feel like they are being punished for no reason. I had a user who swore up and down that she never downloaded programs off the internet and barely used it. Well I went ahead and asked her if Icould take a seat, and showed her the host of junk she'd downloaded. I asked her if she ever received permission from IT to download these programs and of course she was left dumbfounded. So fight fire with fire if you have to and point out specifics if the user just won't give in. Let users know that many things they download off the Internet or bring from home may not be compatible or could cause changes in your current environment. Also let them know that these are company owned PCs and if you have a document of PC and Internet Policy Use give it to the user, and show them that they do not have the right to use the PCs they way they have been.

Collapse -

lock down = pain

by rafemonkey In reply to Locking Down Users - Know ...

tight control has one major disadvantage, it means that you have to visit each machine when you need to make the slightest change (unless you use some sort of network tool, but those have thier own shortcomings) this works fine if you have plenty oftime and people to devote to these problems, however if you are like me (no time, no spare people) it's a hassle. my solution was to leave the machines unlocked, but to be clear to the users that they were not to screw around, I have HD images fo the computers in my office, and if I find a machine that has been monkied, or had nonstandard software, I just reimage it... it only takes a couple of times for the users to catch on. (plus being able to reimage a machine cuts down software support as well)

Back to Software Forum
74 total posts (Page 5 of 8)   Prev   03 | 04 | 05 | 06 | 07   Next

Related Discussions

Related Forums