Join or sign in Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below. Use Your Email Use FacebookUse Linkedin

User blocking net admin access

Locked

I have a user that under the excuse of storing highly sensitive information in his ws, blocks my access as a net admin to the pc.

Of course, without any supervision, the ws was infected shortly with a virus.

After a full reinstall, he changed the Windows password once again.
Now my boss asked me about a lost file in this user’s pc.
He always refused to store any information on the server, that is backup nightly.

I’d like to hear from others in my same situation.

Thanks in advance,
Ernest

Topic

Well I haven’t been in that situation exactly

In reply to User blocking net admin access

I was in a situation where I was not allowed to administer personels’ server ( a pc really, but never mind).
The solution was quite simple I didn’t administer it, they did. I sometimes got asked questions how to do things and if they were nice to me I helped them out.
If you can’t administer it, don’t is the simple and only answer. You could advise them on back up facilities, firewalling, anti-virus etc.
You’re in a situation where you can’t and they obviously aren’t.
One of these issues needs adressing. Why don’t they do an encrypted backup to your system. They have the key and can read it you have the file so it will be safe. As for the virus, well that’s a good reason to go ballistic, if they can do that inside your DMZ or they are not inside it build another firewall around them immediately.

Conversely just beat them over the head with an admin manual until they die or something.

Issue for business manager

In reply to Well I haven’t been in that situation exactly

Tony’s advice seems like a good approach to living with such a situation.

This sort of thing has to be taken up with management. If the appropriate people approve then there isn’t any legitimate recourse. Try to keep your focus on the best interest of the business, which means, as Tony said, cooperating with the person in configuring the equipment.

My other observation is that system administrators are, by the nature of their job, in a position to see all business confidential documentation. The business management typically takes the position that the system administrator has got to be trustworthy. I question the legitimacy of the ws user’s claim that the documents on the ws are too sensitive to be accessible to the system administrator. The only situation where this might be a legitimate claim is if there are classified military documents on the machine and if you do not have a clearance sufficient to access them.

My first thought, however, is that the ws user is either running a separate business and keeping documentation for that on the ws or they are keeping pornography on the ws.

Thats what happened

In reply to Issue for business manager

Lines were drawn, responsibilities established, end of conflict.
That’s what’s got to happen here as well, the current situation is untenable.
I could possibly have lived with being locked out of the data as an admin and provided backup facilities, the virus thing though, I don’t understand how that can happen. Well actually I do, but he wouldn’t be doing it inside my network.

I seriously think about monitoring what this guy is accessing after all threat and security investigation is definitely an admins responsibility

Tell him to go pound sand

In reply to User blocking net admin access

Put a firewall arround him (or) remove him from network. YOUR responsible.

Anyway, the guys a knob & puts the network at risk. Refuse to do anything for him.

Explain your position to management & ask what they want done.

On the other hand, as Domain Admin, you could do all kinds of other stuff to screw with this primadonnas head too 😉

As Stress Junkie said…….I (too) have yet to meet an admin that was restricted from Info on the network. It’s a position of trust by definition.

agreed.

In reply to Tell him to go pound sand

If he places your network at risk (be it security or viruses), threaten to remove him unless he cleans his machine and can prove it, as stated in the previous post, it’s not your responsability for the welfare of his files if he does not utilize the servers that are backed up but it’s your responsability if he places your network at risk.

Does this user have Admin. privileges?

In reply to User blocking net admin access

If so, does he really need them?

If not, set him up as a User, and reserve the Admin. privileges for yourself.

Admin rights

In reply to Does this user have Admin. privileges?

Yes, he has Admin rights because he is one of those users that likes to install whatever he wants.
I’d be in trouble if I tried to limit his actions.

The problem is that with that freedom, he degrades the OS very often.I agree that a net admin must be a trustworthy person and I don’t fit in that level for this unruly user.

Ernest

Sensitive Data

In reply to Admin rights

I would have a discussion with the manager if he is holding HIPAA or SOX related data on that workstation.

And I would find out what the policy is on acceptable usage. As soon as he violates it, record the incident, follow the procedure (usually it is notifying IT management and HR and legal that an acceptable usage violation has occured and to protect company assets you are deactivating his network user and machine account. Then turn off his network port.)

If they are not willing to deal with the issue, notify your boss that all issues concerning this workstation will no longer be handled by you, since you cannot effectively administer the workstation. This means that management will be solely responsible for all legal ramifications of the loss of HIPAA or SOX data, inadvertant release of client data, etc.

Then when bozo user gets a virus or corrupts his system and needs help, point him to your boss and politely say, “I am sorry. I do not manage your workstation. You will need to discuss that issue with my manager.”

Usually taking a hard line on the issue is the ONLY way to deal with these political games that happen in some offices. If you state clearly that you refuse to play them and management has to deal with it, the games usually quickly go away.

Put it in WRITING

In reply to Sensitive Data

I have been in a similar situation and the only way to handle it (in my not so humble opinion) is to:

1. Inform management and make sure that they are aware of the possible ramifications of letting this “loose cannon” have his way. Put the information in writing. Maybe even have a manager sign-off giving this user the right to be an “exception”.

2. Document EVERYTHING! He has a virus; document it. He refuses you access to his WS; document it. Track his network/Internet usage; document it. It can save your hide in the end-run.

You’ve got to wrap this guy

In reply to Admin rights

up. Does matter how much control he needs on his PC, or how secret the data is, wall him off from your network. If they won’t pay for a hardware solution proxy the bleeder off a pc you do control, no way he can argue with that. As far as back up goes all he needs to do is take a copy encrypt it (RAR/Winzip with a password would probably convince this amateur) and then park it on your server for daily back up.

Set it all up looking extremely sullen as though he’d got one over on a mere pleb like you.

Then monitor the clown’s traffic. I’m almost positive he’ll give you a whole load of opportunities to blow him right out of the airlock.

Authority & Responsibility go hand-in-hand.

In reply to Admin rights

It’s not clear exactly what the chain-of-command is here, so I can make only general observations & suggestions. I take note of your mention that you would “be in trouble” if you tried to cutail his user priveleges, which suggests that he is either in a different branch of the chain-of-command, or that he is superior to you.

In either case, you will find suitable recourse only at a level in the chain-of-command which is superior to both yourself and the problem user.

You must convey to such person that, if you are to be held responsible for maintaining this user’s machine, then you must also have the necessary commensurate authority; without such, you cannot be held accountable for the results of his actions. Only by enlisting such support will you be able to regain control of this user.

Barring that, your only viable option is to do no more than required to by way of support for him; and, to the extent possible, make him your lowest priority. In that way, he may eventually come to realize that it is he who is harming himself. (But, I would not count of that happening.)

Policy and rights

In reply to User blocking net admin access

If the corporate policies allow the user to have the admin rights such that they can block you out then you can only follow the policy.

I did have this situation once andgot permission to set the system up with two hard drives, the second hard drive mirrored the first. We then wrote to the line manager explainign the situation and stating that mirroring the hard drive was the ONLY back up support we could provide in this case. We also explained that since the user had admin access as was denying us admin access the PC was no longer under any support as it was outside the control of IT. The line manager was required to sign one of the two attached documents: 1. Accepting that situation, the responsibility and probale future costs; or 2. Instructing the user to hand over all admin rights and to store all data on the server.

The line manager chose point 1.

We could have gone either way. However, we made it clear to the manager that the situation caused problems, what they were, and had them decide and accept responsibility for what they wanted to do – customer service, if the customer wants to be a dickhead you let them but make sure you do as much as you can to protect yourself and the business first.

[Author]

Replies