General discussion

Locked

users with administrator privilege

By storch ·
Hi,

This may seem very basic to all of you but it is a real problem for me and I need your help in solving it.

For years, all the employees where I work have had administrator privileges on all of the computers, even though most of them don't know what that means.All the computers have the same login and password. It is a free-for-all. As you can imagine, it is a tangled mess.

To their credit, the Macs on the LAN have fared much better than the Windows machines. However, even the Macs have some problems due to the total freedom that users had to merrily download and install.

I can get this mess straightened out IF I am allowed to lock everyone out so that once I get everything cleaned up, I can keep it that way.

My problem is in convincing management that only I - or another tech of their choice, should be allowed administrator privileges. I have showed them with the numbers how much money they can save by me not having to constantly chase both phantoms
and real nasties. They are still not convinced. They like the idea of everyone being able to do whatever they want, whenever they want. They don't really realize how much downtime is caused by this "freedom". I apparently haven't presented a strong enough argument as yet.

Any suggestions would be appreciated. Thank you.

This conversation is currently closed to new comments.

71 total posts (Page 3 of 8)   Prev   01 | 02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

It worked out because....

by oldbag In reply to a possibility

most of my users are not exactly what could be called 'power users'. I setup the systems with necessary apps and most of the time, nothing further is needed.

Collapse -

Try "clerk" or "janitor"

by m.jarvis In reply to users with administrator ...

I once read an amusing account of an academic UNIX admin with this problem--all the PhD's had "reasons"--and clout--to force him to give them the root (UNIX administrator) password. He solved the problem by changing the name of the administrator account to "clerk" and the demand for THE password dropped sharply. I suppose that "janitor" would work just as well--and sysadmins ARE electronic janitors.

It would be a little harder to pull off in a Windows environment, but HEY, it's fun to think about.

-mj-

Collapse -

Love your reply!!

by Joyce.Lippens In reply to Try "clerk" or "janitor"

And it worked!! Amazing what people with "clout" want things to look like BEFORE they consider them worthy of their use! Brilliant!!!

Collapse -

My thinking on this..

by sevenex In reply to users with administrator ...

Maybe one of these could work, but it'll depend on if they're willing to undergo the expense, either of your time or the extra equipment or setups in #2.

1) Warn them if everyone has a free-for-all that it may require whatever they have installed or important data not backed up to be "hosed" if it's just too much trouble and fuss to clean it up, particularly if a nasty is caught that makes significant or critical changes, such as the file system. Sometimes, time is of the essence unless your management has the Devil May Care attitude about things. Keep mirror images of a clean system and be prepared to ghost.
2) Perhaps having alternate computers, a kind of community computer(s) also networked could help you drive home your argument. Lock down the important machines as you suggest, yet have the alternate ones as those free-for-all's so they will see what happens, and document it whenever anything is required of any computer for A->B comparison including installation of all apps. Hopefully the overall network can support the extra bandwidth demanded by this solution, although I worry if these share the same network that a nasty may still propagate regardless, so a separate subnet separating these two classes would better prove the case, albeit even more expensive! Each to their own I say, but do be careful with the politics that they cannot be allowed admin access on the important or lockdown machines. Especially when dealing with non-tech sales, this can quickly become problematic and make the validity of your results as invalid. If you are to conclusively prove your point, the above can't be violated, NOT EVEN ONCE!
3) As an in-between, have the company approve a policy of requiring approval of any and all program apps, regardless of one's standing or position. That would be ideal in my opinion. In your favor, you'll be able to review if installation of apps on the company's workstations or network is legal or requires licenses in the environment - a perfectly appropriate role for any attentive admin to attend.

Collapse -

Use Financial Figures as a Weapon

by ssp In reply to users with administrator ...

It is very simple as well as complex. First and foremost you should have some kind of ?Financial data? in your hand. Collect some kind of Financial data and show it to your management. Management never worries about the latest anti virus patches or fire wall policy/setting, they are just worried about monitory aspects. Hence if you prove that there is a substantial loss both in form of time and money by showing your figures , i am sure they will defiantly pay the heed.

Collapse -

Sometimes....

by Joyce.Lippens In reply to users with administrator ...

The best case is proven in the pudding so to speak....Questions: Has the network ever been compromised to the point of complete disaster? Do you have a good disaster recovery plan? Sometimes upper management will not listen until you have a "reaction" situation instead of a "proactive" situation as it sounds you are trying to create.

I read a few of the posts and they all had wonderful ideas! I really liked the idea of making the administrator id clerk or janitor....that was one of the best I had heard yet!

Collapse -

Use the leverage in Sarbanes Oxley law

by jbwardlaw In reply to users with administrator ...

Your executives obviosly do not understand their legal repsonsibilities about proper internal control. I recommend that you review the Sarbanes Oxley law. It spells out how internal control must implemented. Data and Network security are totally involved.

Collapse -

Hooray!!!

by sully In reply to Use the leverage in Sarba ...

Yes, that is the ticket. There is even more to come with this law and others that are sick and tired of business's obvious abuse of data security because an owner thinks he/she needs to make everything easy. Good call.

Collapse -

IF the co. is publicly owned

by curlergirl In reply to Hooray!!!

Sarbanes-Oxley only applies if the company is publicly owned (i.e., stock is publicly traded). This is not the case with 90% (or more) of the companies in the U.S., so be careful. For example, the clients I work with are all very small companies - usually 100 or less employees - all of which are either partnerships, sole proprietorships, S-corps or limited liability corps. None of them are subject to Sarbanes-Oxley. If I brought it up to them, they would just thumb their noses at me, particularly since a lot of them are lawyers!!

Edited for grammer - for all you grammar-mavens, I meant to say, "usually 100 or FEWER employees" not "100 or LESS". ;-)

Collapse -

True, but consider this

by paul_inglis In reply to IF the co. is publicly ow ...

Sarbanes-Oxley or not, does your company (no matter how few employees it has) do business with other companies?

I ask this question because your employees may take their laptops and connect to another company's network.

Is your company willing to take the risk of infecting another company's network with viruses/trojans?

And remember the company is responsible for the actions of its employees. If you have someone who is a loose cannon, it's not just your own internal systems that are at risk: that employee might do damage to your other companies systems as well (even just via email). And guess who is held responsible? Yes, the employer. Particularly if you can't even identify which of your employees was responsible.

This isn't just hypothetical - I've been involved in legal situations where employees of Company A has sent lewd, threatening (or just generally inappropriate) emails to an employee of Company B. All of a sudden you've got a lawsuit on your hands. And if most of your clients are lawyers then they really ought to know better. I think they should hire somebody with Compliance qualifications quick smart.

If that doesn't scare you enough - one day you might have an employee downloading very illegal stuff. When the Feds come to your office they'll arrest YOU, Mr or Ms Network Administrator. That's no joke, and yes it really happens.

Back to IT Employment Forum
71 total posts (Page 3 of 8)   Prev   01 | 02 | 03 | 04 | 05   Next

Related Forums