(no subject)
Jul. 12th, 2009 08:21 pm![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
red-scully.livejournal.com posting in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
techrecoveryI've just moved companies from an IT department that locked its machines right down, to one where users have full admin rights over their machines (both laptops and desktops). In the week I've been in this new place, I've seen maybe 5 machines infected with viruses, and several that needed reimaging because their owners have installed so much junk on them that they move at a snail's pace. In my last job, where I was for nearly 4 years, I think I saw one virus infection, and it got caught and cleaned by the server before the user even logged in.
I'm still quite new in the IT world, so answer me this: should users be granted admin rights over their machines? Am I wrong in thinking that this is a completely stupid and utterly reckless plan that leads to nothing good at all? Does anyone have any good examples of when users having admin rights is actually beneficial to the IT dept?
I'm still quite new in the IT world, so answer me this: should users be granted admin rights over their machines? Am I wrong in thinking that this is a completely stupid and utterly reckless plan that leads to nothing good at all? Does anyone have any good examples of when users having admin rights is actually beneficial to the IT dept?
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2009-07-12 07:40 pm (UTC)At my place, users are only granted local admin if the apps they use absolutely, positively DEMAND IT.
no subject
Date: 2009-07-12 07:44 pm (UTC)*shudders from thinking about it*
no subject
Date: 2009-07-12 08:09 pm (UTC)Usually, by the time you have the third criteria, you're able to figure out ways to give ordinary users exactly what they need, and nothing more, without giving them full admin privileges.
Most organizations that I've seen stumble badly at at the second criteria, and have a hard time determining when the first criteria is truly applicable. A huge step forward in my opinion would be achieved by insisting that users be computer literate. And mandate required training whenever someone says "I'm not computer literate, ha ha." Making computer literacy a requirement for basic employment in any position where using a computer is a normal part of the work would help tremendously.
no subject
Date: 2009-07-12 08:11 pm (UTC)And even Microsoft gives all users local admin rights.
no subject
Date: 2009-07-12 08:16 pm (UTC)Will they? Yes, because the IT director (or whatever) either doesn't know his job or has been ordered to by politics - normally by those that don't know better.
no subject
Date: 2009-07-12 08:36 pm (UTC)no subject
Date: 2009-07-12 08:37 pm (UTC)Especially in a development environment when developers have to install and uninstall software all of the time.
I think locking down systems leads to stunting creativity in the work environment, stunts employee morale and ultimately detracts from business profitability and flexibility. The idea of locking everything down is paranoid, arcane and ineffectual...
no subject
Date: 2009-07-12 08:38 pm (UTC)My predecessor's justification was that he didn't have time to support everyone, and our line of business involves a whole lot of piddly little apps that need to be installed at random -- no point in locking things down so every time someone decided they needed a copy of HEC-RAS, they'd have to call IT, especially when IT is probably in East Bumblefuck for the week doing well monitoring. That and up until recently we didn't use the same spec machines, so building a universal image was right out.
But by the end of the year, I'm phasing in user rights lockdowns and keeping up with audits of installed programs, because I'm tired of these fucking cowboys bringing me a laptop with 15 toolbars in IE, three fake anti-virus programs, and some awful viral infection that requires a nuke-from-orbit/reload Windows to dislodge.
SHORT VERSION: don't give them local admin rights. They're probably not responsible enough to use them.
no subject
Date: 2009-07-12 09:24 pm (UTC)The only times we hand out local admin privs are to the IT staff, and to some powerusers that have demonstrated that they both need the admin privs (due to a few lousy applications that don't play nice w/o local admin) and can be trusted not to FUBAR the system. And they get the local admin privs with the understanding that if they *do* FUBAR it, we reserve the right to mock them mercilessly.
no subject
Date: 2009-07-12 09:35 pm (UTC)1] the user base is knowledgeable enough not to fuck it up completely...
2] the user base is too terrified of you to fuck it up completely...
Ideally, one educates the ignorant so they don't screw it up again.
Requiring them to do forfeits before you fix their machine works pretty well as motivational tool.
no subject
Date: 2009-07-12 09:53 pm (UTC)My (support) department had local admin for years. In fact at one point my personal system was a box that IT had NO login for at all (RedHat machine) and that lasted a couple of years until software requirements forced me back onto Windows. But you had to be seriously knowledgable to even be in said support department, a large part of our country-wide in-house software were written by people in my department.
We've just been switched over to our overlords continent-wide AD network and all lost Local Admin. It sucks. But I can't see a company as large as our new overlords allowing department-wide Local Admin on systems not intended specifically for developers.
no subject
Date: 2009-07-12 10:23 pm (UTC)no subject
Date: 2009-07-13 12:02 am (UTC)Indeed. Speaking from the other side, I've had to send code out untested because I don't have proper rights on the dev servers. I spent a week trying to test the code in any way I could, but in the end, I had a deadline and the sysadmin team wasn't going to stoup down to handle my request (despite even my boss requesting it as well).
no subject
Date: 2009-07-13 01:29 am (UTC)no subject
Date: 2009-07-13 02:38 am (UTC)the last time it came down and let it be defrag'd, i ran the damned thing about 10 times.
two months later, the thing is running slow as sludge again. i think it's just time for a new machine, really.
no subject
Date: 2009-07-13 03:46 am (UTC)Software engineer, here. Worked for a place that had rules like that - I couldn't have the admin password for the Solaris box that was right under my desk. And you had to have an admin password to shut down the machine. So I could pull the plug but I couldn't shut down. Yeah, *that's* smart.
And at that, I was one of the lucky ones to *have* a Solaris box under my desk, because they were convinced that a team of Unix/Linux engineers could do all their work on PCs using whatever POS emulation software I've blanked from my memory. I had to have a real Solaris because I worked on the graphics code, and half the time we had a bug reported in the graphics, you couldn't reproduce it with the emulator - the other half it was *caused* by the emulator. (Hmm, it's trying to display BGR when we're telling it RGB? Yes, that *will* make the colors look funny. No, that's *not* my fault.)
Just a voice on the other side
Date: 2009-07-13 03:51 am (UTC)no subject
Date: 2009-07-13 04:35 am (UTC)I do know ONE that requires admin for registry stuff but that was a one time thing.
no subject
Date: 2009-07-13 06:05 am (UTC)A large user base on laptops will almost certainly require local admin rights, particularly when they are on the road and need to install software updates and such...
no subject
Date: 2009-07-13 09:23 am (UTC)I've done some troubleshooting as IT admin, but it mostly involved getting rid of itunes' update checker which was slowing down all network traffic and telling people that they really shouldn't install that kind of crap on their work computers. I've even had people reinstall their computers from scratch with me only being there to enter the admin password for joining the domain. Relaxing!
;)
no subject
Date: 2009-07-13 09:24 am (UTC);)
no subject
Date: 2009-07-13 11:14 am (UTC)no subject
Date: 2009-07-13 11:49 am (UTC)Unfortunatly at my place of work half the software needs it, so it's standard just to let em have admin rights. Probably causes 50% of our problems. I've talked to them abotu white listing and they say it'll be too difficult.
Re: Just a voice on the other side
Date: 2009-07-13 12:45 pm (UTC)no subject
Date: 2009-07-13 04:37 pm (UTC)I'll also note that supporting engineers is a lot like supporting software developers - if you don't let people running AutoDesk software have local admin rights, you had better be prepared to spend A FUCKING LOT of time walking by workstations waving The Magic Admin Wand.
So in conclusion, I'd say it's sort of like oxygen levels in the atmosphere over geologic eras. That shit fluctuates from one era to another, it's not constant.
no subject
Date: 2009-07-13 05:27 pm (UTC)Generally anyone developing windows applications needs local admin rights.
Then you have the people who need to install or update their job specific software all the time and most of the software is dumb and required local admin rights to run. In my last job, we only had 2-3 people who hit this requirement, so it added work to maintain them but not too badly.
I was incredibly lucky in my last job and was able to set the rules. And I am bastard, I locked down local admin, all corporate wide software was pushed through GPO and patches/antivirus were also pushed out.
I loved that setup, 2/3 of the company only used windows for Office and email, so we almost had no problems. And most virus infections could only infect their profile. The other 1/3 were developers and they would occasionally mess up their machines, but they were generally good people and if you pointed out that they brought this on themselves usually they didn't repeat the problem.
Now at my new company, everyone has local admin rights.... the two saving graces are (1) by policy if I spend 10-20 minutes on it, I can wipe and reimage the machine (and the reimage setup works wonderfully) and (2) I am primarily a UNIX admin so it's not my problem.
[At my last job I was the UNIX admin but due to layoffs I ended up essentially the senior guy for everything with a junior PC helper]
no subject
Date: 2009-07-13 05:35 pm (UTC)no subject
Date: 2009-07-13 05:38 pm (UTC)At the university where I work, most people can do most things on most machines, why? Because there's no policy on what software should be used, it's all up to individual professors/projects and while they try, it simply isn't possible for IT to stay ahead of the random stuff people need.
no subject
Date: 2009-07-13 10:16 pm (UTC)Locking down the fingerpaint in an Art class doesn't make much sense, and Not locking down the fingerpaint when the room is used for Math or Shop classes is just dumb.
no subject
Date: 2009-07-13 11:22 pm (UTC)Your example would work better for an environment such as a library where multiple people use the same machine.
I think the OP implied, and I responded to the context of, and environment where you have one user per desktop/laptop and that user having full local admin rights.
Today's computers are not Terminals, like we used to manage in the early days of Mainframe/client environments (where locking everything down started). Employees are pretty much required to multi-task and be flexible and I submit that their equipment should do the same...
Re: Just a voice on the other side
Date: 2009-07-14 02:56 am (UTC)no subject
Date: 2009-07-14 10:23 am (UTC)Recently, there was a bit of a kerfuffle at my orkplace where all employees who started before "x" date were asked to sign an agreement (newer ones supposedly signed it as part of their employment contract).
Part of the kerfuffle was over the fact that the agreement contained three unrelated things (software installation on computers; secrecy/confidentiality; knowledge of the official software development process), but a major part was over the first of those things.
See, it said that we were not allowed to use software unless it had been installed by IT.
In a software development company.
It was pointed out that this might make sense for the administrative area, where they typically only have a half-dozen apps they use (such as Office and SAP), but does not for the developers -- depending on the definition of "software" and "install" it would mean I couldn't even install, say, Hibernate for use with Java, or even "install" the software I'm developing onto my own machine in order to test it!
It turned out that what management *really* wanted was to prevent (a) unlicensed commercial software and (b) non-work software (such as World of Warcraft).
At any rate, I think pretty much everyone refused to sign the agreement and a new one is being worked out now.
no subject
Date: 2009-07-16 01:40 am (UTC)no subject
Date: 2009-07-16 08:17 pm (UTC)It also depends on the environment of the company. I had one I worked for that was a manufacturing company, and all the computers were locked down because the majority of the employees had no computer literacy whatsoever (see 10 minutes to find the start menu). Another company I worked for was also a manufacturing one, but had a large number of designers/white collar employees. They gave everyone full admin rights and we had many issues with things as a result (of course, inadequate virus protection on top of that just kinda compounded problems).
no subject
Date: 2009-07-16 09:14 pm (UTC)I say, it seems a lot of people here are intent on "fixing" themselves out of a job...