Educause Security Discussion mailing list archives
Re: software installation
From: "Boles, Jeffrey B." <chronos () OU EDU>
Date: Thu, 11 Mar 2004 16:07:02 -0600
In my case, I've found it has a lot to do with how responsive you can be to legitimate needs for administrative access. If you can not give people the admin access they need to perform necessary job tasks, making a case for the restriction (when they are not en-cultured to it) can be difficult. The majority of my users have no regular need for such higher level privilege, and we are blessedly small enough that we can respond to a request for elevated privileges in a fairly timely fashion. As soon as they are finished doing what required higher privileges, they are returned to a normal user and forcibly logged off and back on (to cycle the privilege change). The IT department for the Oklahoma Department of Human Services (who I get to work with often) does a similar thing, but they also keep a special group with local admin privileges that they put people into when it is required. Anyone in this group has admin privileges on any desktop on their domain, but they empty the group every night. That way if someone requests admin rights, they can easily give it to them (adding them to a global group) and not have to remotely touch their desktop. They are also assured that the privilege is not grossly abused as it is removed as soon as end of business that day. Makes sense for a larger enterprise. Jeff Boles, MCP IT Administrator Training and Research Center Center for Public Management Public & Community Services University OUTREACH University of Oklahoma Phone: 405.573.6817 Cell: 405.831.2042 Email: chronos () ou edu <mailto:chronos () ou edu> "Homo doctus in se semper divitias habet." ________________________________ From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michelle Mueller Sent: Thursday, March 11, 2004 3:24 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] software installation We've had this same problem with faculty wanting to install demos and educational software. To solve this, we've given local admin rights to those who have voiced their need to install. Not the best solution, but much better than giving them more rights on the domain. To do this go to Computer Management, Local Users and Groups, Groups, and double-click on Administrators. Add that user's domain ID to this group. That will give that person (and only that person) administrative rights on that machine. Personally, I don't like doing this. Any kind of "relaxing" of security bothers me. But we have been unable to come up with another solution. I'd be very interested to learn a safer way of doing this. Michelle Mueller Network Specialist Mount Mary College Milwaukee, WI Chad McDonald wrote: We have made a very recent move towards implementing Active Directory and have fairly effectively restricted what users can do on GC&SU clients. We are now being bombarded by a vocal minority who feel that they have a bona fide need to install software on their machine. Up to now we have been unable to find a way to allow users to install their own software (i.e. test banks, trial software, user-developed software) without administrative rights. I am sure that some of you have encountered this as well and I'm hoping that you have found a solution. Any assistance that you may provide will certainly be appreciated. Chad McDonald Director of Campus Computer Support Services Georgia College & State University Milledgeville, Ga. 31061 Phone 478.445.4473 Fax 478.445.1202 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- software installation Chad McDonald (Mar 11)
- <Possible follow-ups>
- Re: software installation Michelle Mueller (Mar 11)
- Re: software installation Boles, Jeffrey B. (Mar 11)
- Re: software installation Brian K. Dore' (Mar 12)