Re: software installation

["Boles, Jeffrey B." <chronos () OU EDU>]

In my case, I've found it has a lot to do with how responsive you can be
to legitimate needs for administrative access.  If you can not give
people the admin access they need to perform necessary job tasks, making
a case for the restriction (when they are not en-cultured to it) can be
difficult.  

 

The majority of my users have no regular need for such higher level
privilege, and we are blessedly small enough that we can respond to a
request for elevated privileges in a fairly timely fashion.  As soon as
they are finished doing what required higher privileges, they are
returned to a normal user and forcibly logged off and back on (to cycle
the privilege change).  

 

The IT department for the Oklahoma Department of Human Services (who I
get to work with often) does a similar thing, but they also keep a
special group with local admin privileges that they put people into when
it is required.  Anyone in this group has admin privileges on any
desktop on their domain, but they empty the group every night.  That way
if someone requests admin rights, they can easily give it to them
(adding them to a global group) and not have to remotely touch their
desktop.  They are also assured that the privilege is not grossly abused
as it is removed as soon as end of business that day.  Makes sense for a
larger enterprise.

 

Jeff Boles, MCP
IT Administrator
Training and Research Center
Center for Public Management
Public & Community Services
University OUTREACH
University of Oklahoma
Phone: 405.573.6817
Cell: 405.831.2042
Email: chronos () ou edu <mailto:chronos () ou edu> 

"Homo doctus in se semper divitias habet."

________________________________

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michelle Mueller
Sent: Thursday, March 11, 2004 3:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] software installation

 

We've had this same problem with faculty wanting to install demos and
educational software.  To solve this, we've given local admin rights to
those who have voiced their need to install.  Not the best solution, but
much better than giving them more rights on the domain.  To do this go
to Computer Management, Local Users and Groups, Groups, and double-click
on Administrators.  Add that user's domain ID to this group.  That will
give that person (and only that person) administrative rights on that
machine.   Personally, I don't like doing this.  Any kind of "relaxing"
of security bothers me.  But we have been unable to come up with another
solution.  I'd be very interested to learn a safer way of doing this.

Michelle Mueller
Network Specialist
Mount Mary College
Milwaukee, WI


Chad McDonald wrote:



We have made a very recent move towards implementing Active Directory
and have fairly effectively restricted what users can do on GC&SU
clients.  We are now being bombarded by a vocal minority who feel that
they have a bona fide need to install software on their machine.  Up to
now we have been unable to find a way to allow users to install their
own software (i.e. test banks, trial software, user-developed software)
without administrative rights.  I am sure that some of you have
encountered this as well and I'm hoping that you have found a solution.
Any assistance that you may provide will certainly be appreciated.

 

Chad McDonald

Director of Campus Computer Support Services

Georgia College & State University

Milledgeville, Ga.  31061

Phone 478.445.4473

Fax 478.445.1202

 

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/. 

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.