General discussion

Locked

users with administrator privilege

By storch ·
Hi,

This may seem very basic to all of you but it is a real problem for me and I need your help in solving it.

For years, all the employees where I work have had administrator privileges on all of the computers, even though most of them don't know what that means.All the computers have the same login and password. It is a free-for-all. As you can imagine, it is a tangled mess.

To their credit, the Macs on the LAN have fared much better than the Windows machines. However, even the Macs have some problems due to the total freedom that users had to merrily download and install.

I can get this mess straightened out IF I am allowed to lock everyone out so that once I get everything cleaned up, I can keep it that way.

My problem is in convincing management that only I - or another tech of their choice, should be allowed administrator privileges. I have showed them with the numbers how much money they can save by me not having to constantly chase both phantoms
and real nasties. They are still not convinced. They like the idea of everyone being able to do whatever they want, whenever they want. They don't really realize how much downtime is caused by this "freedom". I apparently haven't presented a strong enough argument as yet.

Any suggestions would be appreciated. Thank you.

This conversation is currently closed to new comments.

71 total posts (Page 5 of 8)   Prev   03 | 04 | 05 | 06 | 07   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Accept it

by bellyware In reply to users with administrator ...

In my humble opinion, you used all the arguments that count.
If management judges that the downside to the current situation is less important to them then the advantages (if any) then you need to learn to live with it.
Remember, it's not your network, it's theirs. And you are there for the sole purpose to keep THEIR network running.
If you can not do that given the requirements by management it's your job to let them know the downside to their choices.
But if they are willing to accept these downsides, you basically have two options: accept it and go on like before, or find a job in a company that agrees with you.
Again, though you should let management take advantage of your expertise, you're not there to make the network run the way you think (and know) it should run, but to make it run the way they want.
Again, if "the way they want" is stupid (and it is), tell them, tell them again, and deal with their decision.

Collapse -

business case indeed

by jdiggs In reply to users with administrator ...

There is a lot of discussion about presenting a business case. I liked the file folder example. Here is another interesting presentation idea.

Install a keystroke logger and screen capture program on a workstation where sensitive data is handled. For maximum shock value, repeat the same steps on a male executive's PC who tends to work late at times. Present the captured data in a meeting with top executives, and explain to them that everyone running as administrator has the access necessary to compromise any computer on the network in this way.

Of course you may want to have a resume and possibly even a lawyer ready to go into action before you do this.

Collapse -

Same Problem but Resolved

by bchan In reply to users with administrator ...

Use a spreadsheet or helpdesk ticket system to validate your case. Record date, start and finish time, user, problem, cause, and problem. We had the same problem in the past. Thanks to the assistance of our Helpdesk group. Only a few people actually have admin rights after signing a local admin usage policy. Now, if they really screw up their boxes, their system are re-imaged. Afer while, some users get the message they screw their boxes up, IT wipes it clean. If they had some important work on the non-working system of their cause, too bad. The majority of the people who had local admin rights when we had Win9x, don't have local admin rights on Win XP Pro. If management ask you why it is taking so long to do work, blame of the fact you're always fighting fires caused by the end-users with local admin rights. If your management is good, they will see the problems and take care of it by giving IT the power to take the rights away. In the beginning we had a lot of end-users complain to us about this, and our reply was
the computers don't belong to you but the company. The company requires you to use them
work with not anything non related to work.
If you don't like this, your manager and my manager can talk about this.

Also, you should have an Computer and Network Acceptable Usage Policy in place.

I hope this helps.

Collapse -

From the mouths of Microsoft

by allan.claunch In reply to users with administrator ...

I sympathize with your plight. I currently am the sole admin for a
group of companies and inherited a similar scenario. They
previously never had an admin and the place was wide open in
every way imaginable. After immediately plugging all the holes
and batting down the hatches, I began systematically stripping
everyone of their rights, and I do mean EVERYONE, from the
owner on down. Unlike your situation, I was fortunate in that I
encountered absolutely no resistance from management, it was
the workers that were screaming for my head on a plate. But I
was prepared with the ultimate sword... Microsoft's own words.
No matter how savvy the infidels are, their arguments fall apart
upon being shown the verses straight from the "pope".

Armed with Microsoft's edicts, I explained to them that this
wasn't a trust issue in regards to their activity and bore no
reflection on them. I explained that my intentions were to
protect them, not harm them. I agreed with them that this was a
terrible deal that Microsoft had written the os in such a way that
we had to this to be safe. But alas, it was so, and it must be
done.

You can begin by showing them straight from the Help file on
their own machine:

Click on "Start:Help and Support"
Click on "System administration"
Click on "Passwords and user accounts"
Scroll down on the right column to:
"Why you should not run your computer as an administrator"

Why you should not run your computer as an administrator
Running Windows?2000 or Windows?XP as an administrator
makes the system vulnerable to Trojan horses and other security
risks. The simple act of visiting an Internet site can be extremely
damaging to the system. An unfamiliar Internet site may have
Trojan horse code that can be downloaded to the system and
executed. If you are logged on with administrator privileges, a
Trojan horse could do things like reformat your hard drive,
delete all your files, create a new user account with
administrative access, and so on.

------------------------------------------------------
Follow this up with showing them exerpts from Microsoft's site:

http://www.microsoft.com/germany/technet/prodtechnol/
winxppro/reskit/c17621675.mspx

Overview
Every user and computer has a specific role and purpose in an
organization. To accomplish their goals, each user and computer
must be able to access certain resources and perform specific
tasks. However, allowing users and computers unlimited access
to system and network resources and functionality can
compromise an organization?s security and stability. The access
control infrastructure of Windows XP Professional functions to
balance the resource access and system security needs of an
organization.
For example, Alice works in Accounting and needs to be able to
view?but not create or modify?certain Personnel department
files that are off-limits to other users in the organization. The
Personnel department, which controls these files, uses access
control to define which users can have Read-only access to
Personnel files, which users can have Write and Modify access,
and which users have no access to the Personnel share. Alice is
given Read-only access to the Personnel files. Similarly, IT
determines that prohibiting users such as Alice from making
significant changes to their systems can reduce costs and
improve security and supportability. IT makes Alice and other
users members of the Users group, thus limiting their ability to
install applications and reconfigure their operating system
environments. In this way, Alice has the access to resources that
she needs, the security of the organization is enforced, and the
stability of the network is maintained
------------------------------------------------------

My favorite site for collecting additional armaments is from one
of Microsoft's own security experts:

http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/
TableOfContents.aspx

Hope this helps.

Collapse -

You didn't say it, but ...

by BrokenEagle In reply to From the mouths of Micros ...

Allan,

You didn't say it, but you you gave the justification for saying that "user education is the key."

Life is a lot easier when you take the time to educate your users (including their/your bosses).

Collapse -

Not basic at all, but should be

by jj_itguy In reply to users with administrator ...

This problem is a plague and will not leave any tech forum alone. I can't imagine anyone not ever experiencing it in their career. That may not make you feel better, but at least you know your not alone.

Some things that have NOT worked well for me:
1) Brute force restrictions (because I said so). Hey we were all young a bold (stupid) at some point...right!?!
2) Giving in to user demands (their the boss).
3) ignoring the situation

What has worked:
1) Educate from top down. Much easier to implement restrictions with top level mgmt on board
2) find the users who "get it" and use them as promoters and examples. When people at their own level are singing praises of whatever is being pushed, it will be more widely accepted.
3)Include all the ideas already presented here in other posts for the education portion (cost savings, less downtime, security, legal implications).

I have found a few situations (traveling salesforce) where admin priveleges really help everyone do their job better. I just create a separate local account that can be used in "special cases". I educate them on how/when to use it and make them sign off on a statement regarding policies and procedures for using the laptop, admin account, etc. This is working very well so far (users are happy, I don't get midnight helpdesk calls to install a needed plugin). Oh, I don't put these laptops on the domain either and I restrict their access to domain resources just in case.

Hope this helps. Keep fighting the battle. I do agree, though, that if you cannot get top level support, you should find another job. No matter what, you will be the one made to look bad when the @#@# starts to roll and getting fired something you tried to fix would not be a good situation.

Collapse -

Start with a Small Group

by Systems Magician In reply to users with administrator ...

Can't win management, win the users. After all, you interface with them more.

What I did was started rebuilding problematic machines first and locked out the user to "restricted user only". Installed all the applications they will need or conceivably need in the future, setup for multiple network printers. Explained to the user(s) that we will try something different that will help stabilize their computers by locking the computer down for changes or installation by malicious intent like viruses, people who will try to steal personal data in the computer, etc. This part they understood very well. I also compromised that within the 15 work day period, I will give them top priority if there is any problems or concerns.

Eventually, others who are tired of experiencing problems daily asked that their machines be rebuilt to make it stable. The Users are now willing to sacrifice administrator rights for a stable machine that they can do work.

Explained to them too that IT understands no company user intends to sabotage any computer or their own, it is the things that happen in the background that they don't know because of having administrator or power user rights that is creating this problem that is why lock down helps to stablize their computer.


Good Luck

Collapse -

users with administrator privilege

by edwards In reply to users with administrator ...

As a senior scientist who has been building and
configuring my computers since 1980, I would have
no part of your scheme to let only "techs" have
administrator privilege. The PC monkey shop does
a fine job of unpacking new PCs and laying down
an initial image for the unwashed employee masses,
but they are clueless when it comes to developing
sophisticated software on a variety of platforms.
As for "downtime", the PC monkey shop has never
experienced downtime or need for their services
on my account. The elevated sense of self worth
that comes from endless certification programs is
laughable.

Collapse -

Valid, if slightly inelegant. . .

by bkinsey In reply to users with administrator ...

There are definitely jobs that require full admin rights to the local system. Yours sounds like one of them, along with anyone who does software development, tools programming, etc.

But it's not a seniority issue - the CFO, VP's and even the CEO don't require that kind of access in most cases, where a "lowly" lab tech in R&amp might. Nor is it simply based on computer knowledge in general; an employee who knows all about building PC's, networking, software, whatever, doesn't get local admin rights unless their job requires it - they probably present a greater security risk to the company than the ignornant "unwashed employee masses". :-)

By the way, who gets such rights and who doesn't isn't (or shouldn't be) strictly an IT decision. Requires input from line management as to job requirements from an angle that IT doesn't see. . .

Collapse -

ad hominem attack

by truthiness In reply to users with administrator ...

I don't understand how your comment abut certification programs is germane to the discussion? You make the assumption that this is about administrator power-tripping, when in fact it is about what is best for the business (or organization).

I would never lock down a machine in such a way to keep a user from doing their work. I will bend over backwards to make sure that people are in no way limited from getting their work done. But, it's not a given that locking down a machine keeps people from doing their work. It may be in your particular case and in that case I would grant the necessary rights. But in my experience, with the type of users I work with, in the business I am in, restricting user rights does not in any way keep people from getting their work done.

Most of my users don't know how to minimize a window, and can't figure out how to log in if their username isn't already typed on the first line of the logon screen. These same people will install programs sent to them by anonymous e-mail without a second thought, with no consideration whatsoever of whether it is work-related. Giving these people full access to a windows computer attached to a network is like giving a toddler a loaded gun.

Back to IT Employment Forum
71 total posts (Page 5 of 8)   Prev   03 | 04 | 05 | 06 | 07   Next

Related Forums