IT Employment

General discussion


users with administrator privilege

By storch ·

This may seem very basic to all of you but it is a real problem for me and I need your help in solving it.

For years, all the employees where I work have had administrator privileges on all of the computers, even though most of them don't know what that means.All the computers have the same login and password. It is a free-for-all. As you can imagine, it is a tangled mess.

To their credit, the Macs on the LAN have fared much better than the Windows machines. However, even the Macs have some problems due to the total freedom that users had to merrily download and install.

I can get this mess straightened out IF I am allowed to lock everyone out so that once I get everything cleaned up, I can keep it that way.

My problem is in convincing management that only I - or another tech of their choice, should be allowed administrator privileges. I have showed them with the numbers how much money they can save by me not having to constantly chase both phantoms
and real nasties. They are still not convinced. They like the idea of everyone being able to do whatever they want, whenever they want. They don't really realize how much downtime is caused by this "freedom". I apparently haven't presented a strong enough argument as yet.

Any suggestions would be appreciated. Thank you.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Business case

by curlergirl In reply to users with administrator ...

Usually, the business case for security issues like this is made by illustrating what could happen if someone got unauthorized access to your network. The cost of your having to go around and clean up after everyone is a hard case to make. From management's standpoint, they're paying your salary, and if that is part of your job, they don't see that making your job easier or making you more efficient is going to save them money. We all know that it will but it's hard to convince upper management. Perhaps looking at the bigger picture, which is what they will want to see, will help. Look at it from an overall security standpoint, including concerns like network intrusions, trojans and malware that allow hackers to steal information, etc. Depending on what type of company you work for, this could be easy or hard. If your company is in the retail, financial, legal or medical field, where there is a lot of consumer confidential information in your systems, it's easier to make the case that it could cost the company hundreds of thousands if not millions of dollars (in law suits, etc.) if some unauthorized person got into their system and stole customer information. If you're in a different field, the case might be a little harder to make, but at least you can always make the case that a disgruntled employee with such total access to systems could trash their entire network and walk out the door. That would certainly cost a great deal and, depending on how good their disaster recovery systems are, they could even lose vital data.

I just had a somewhat acrimonious newsgroup argument with another network admin about this issue and the idea of "trusting" or "not trusting" your employees. He claimed that he trusted his users and they trusted him, so they wouldn't do anything to trash their machines. I argue that it isn't a matter of trust at all. Of course you want to trust your users, and most of them will of course be completely trustworthy. But it's naive to ignore the fact that even a single user with administrative acess to systems, who for some reason forms a grudge against the company, could do some serious damage. This happens with formerly trustworthy employees every day; it's why many companies now, when they fire someone, don't even allow them to return to their desks before leaving the building. I've had clients instruct me to lock an employee out of the network at a specific time of day because that's the time they were going into the human resources office to be fired.

I don't know if these ramblings have been helpful, but I hope they've given you some ideas.

Collapse -


by storch In reply to Business case


Good points!

Regarding trustworthiness- I do trust the users for the most part. But I have found that problems are being created perfectly innocently on the users' part. And then there is always the possibility of that occasional ex-employee with a grudge.

Thanks for your help.

PS I am embarassed to say that I knew nothing about Curling until I saw it in the Olympics. Fascinating. Do you play?

Collapse -

Curling Rocks!

by curlergirl In reply to Thanks!

Yes, I play, very enthusiastically. And don't be embarrassed - almost no one in the U.S. knew about it until the Olympics, except in the upper Midwest states. In Canada, it's so popular it's like bowling or even baseball in the U.S. in terms of how many people do it.

I started about 18 yrs. ago and plan to continue as long as I can. It's a great game, requiring brains, physical control and strategic abilities more than brute strength, and something you can continue well into your "senior years." If you want more info about it, go to my club's website -

Collapse -

Completely agree

by pkr In reply to Business case

All your points are valid, but most bosses won't understand as their world is what they (or their teenage son) does at home. "Hey let's use this thing called Windows, people use it at home, so we save on education". Ever heard that phrase?

Ask them to hand out the building master keys to everybody. Why should access to the building be more strict than access to vital information ?


Collapse -

show them what could happen...

by arlie1982 In reply to Business case

I started working for a small title company about 8 months ago. When I came in everything was a mess. Everybody had admin rights on every machine. I came in and made a comment to my boss that it wasnt good. I showed thim what one machine could do and almost inmediatelly he gave me control over the network. Our network was so slow, spywares, adwares even viruses where crawling on our network. Once I cleaned it all up I locked dumped everybody down to users. It was a pain but after that uptime and network performance boosted up. Hope this helps!

Collapse -

Give them access to what they need

by sully In reply to Business case

If you know what they need specific access to then give them that access explicitly. You can provide <modify> access or go into advanced to supply specific "drilled down" permissions to certain folders. The best routine for this is through proper OU and GP management. Create an OU for these admins and add their user accounts to them. Open the properties for that OU and apply the appropriate GP to it. Then fine tune it by adding directory permissions where applicable. No one but admins need full permissions over the drives; however, some folks may need "almost" full permissions over certain directories within the drives. You can tighted security by requiring username and password information for all access and by disabling the caching of passwords on the local machine but that may not be the best solution, it rarely ever is and makes your job more daunting. If they are able to do their job without knowing that they don't in fact, have "full permissions" on all of the drives then you've won and they've won. If they still manage to think that they are supposed to have "full" permissions then document accordingly and give it to them and document all of the issues that come up that result in you doing more work for their screw ups, just don't label it that way. Present the case, bring the focus into perspective and offer a solution and then train them in how to use their network. The analogy I've used in the past has been related to a person's relationship with their accountant. Yes, they have the right to see everything the accountant does and should be able to change anything they want; however, why did they hire the accountant in the first place? Usually, we all hire experts to delegate the burden and control effectively and we trust those experts to handle the tasks and responsibilities of those jobs. I can't see the reason for allowing any "Non-Administrator" full permissions over anything, unless a specific program or process requires it, like some DOS apps. The other issues that come up are that sometimes upper management "needs" something because a lack of training tells them that they need something they don't. Ask enrolling questions, get their answers and discover how they are using the network, then compare that data to how you need them to use their network and discover a course of action to achieve that result. My thoughts are that this is a mix of training and a mix of communication that is getting lost in maybe jargony terms and lack of enrollment. Keep it simple and clear and always take care of your bosses, just cover your a$$ with appropriate documentation.

Collapse -

They pay you the same amount either way

by jdclyde In reply to users with administrator ...

so that is not where you want to build your case.

Look towards end-user down time. When they pick up the latest virus/malware, how long are they down on average? What would it take to prevent this down time?

Keep in mind, your job is NOT to keep systems in a set config, it is to make sure the users can do their job. Period. If the user can not do their job, there is a problem that needs to be addressed.

Lock down the insecure sections as much as you can, without restricting what the user can do. More than that, and in the current environment you will just be seen as the wannabe IT-Nazi on a power kick.

You have to show them how THEY benifit. They don't give a rats a$$ about how YOU benifit, so leave that out.

Good luck.

Collapse -

you're right

by storch In reply to They pay you the same amo ...

Thanks jdclyde,

I actually am concerned about stepping on toes and perhaps appearing like I'm a cop.

For me, it truly is about having everybody be able to do their work unencumbered by computer hassles. I see what you mean. I need to show management how the Users will benefit. I will leave the part about me out.

Thank you

Collapse -

Been there, done that

by jdclyde In reply to you're right

won the cookware.

I have already been through this same thing, and still do to a point. The voice of experience.

Oh, non-geeks have heard so much doom and gloom from the people pushing security products, they are pretty numb to a lot of that as well. They are like kids, with the "It won't happen to me" attitude.

Good luck.

Collapse -

Not all. . .

by bkinsey In reply to you're right

Don't just show them benefit for the users, show them benefit for the business, chiefly in the form of reduced risk.

The risk of data loss or theft has already come up, and it's valid. But equally valid is accountability. That same login and password should situation should scare the crap out of any manager whose vocabulary includes the word "lawsuit".

To illustrate, suppose any number of things: an employee surfs where they shouldn't and gets into legal trouble, somebody manages to infect their system with the latest file-destroying virus, which spreads through the swiss-cheese security and destroys (or worse, alters) your quarterly financials, or whatever. Who did it? Who knows! Even if you trace the login, it tells you nothing. Most management understands "CYA", and would tend to want to fire the person responsible. But if you can't document who that is, you're looking at possible wrongful termination suits. (Extreme case, admittedly, but something along those lines)

As far as local admin rights for users, I tend to think of it as the bane of our existence, but there are points on both sides, depending on business needs of the users. Worst thing about it is probably security - any malware will run under the user conext of the logged-on user; if they're an admin, there are basically no limits to what it can do.

Hard battle to fight, but worth winning. . .

Related Discussions

Related Forums