Educause Security Discussion mailing list archives
Re: Granting all users (or "a select few"??) administrative rights on their own computer systems??
From: "Cappalli, Tim G @ LSC-OIT" <Tim.Cappalli () LSC VSC EDU>
Date: Fri, 31 Aug 2012 20:43:22 +0000
We've had issues with users installing software that the college doesn't own and installing Apple updates that brick the computer (PGP). For years, our Windows users have not been granted admin rights (except in extreme cases). Our Mac users have used local accounts and were admins due to a lack of management tools up until recently. Last year we began moving our Mac users to a managed environment (Profile manager and AD). Many of the faculty that were affected by this are not happy and are currently battling this new change. And for some background, it was one of the Mac users who is battling this that had the unlicensed software. Our CTO and president at the time felt it was less time consuming to install software when they needed it than constantly rebuild and re-encrypt computers after they've been bricked. Tim Tim Cappalli, ACMP CCNA | (802) 626-6456 Office of Information Technology (OIT) | Lyndon
cappalli () lyndonstate edu<mailto:cappalli () lyndonstate edu> | oit.lyndonstate.edu<http://oit.lyndonstate.edu/>
[cid:image001.png@01CD7CA8.ADB45900] Sent from Windows 8 and Outlook 2013 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL Sent: Friday, August 31, 2012 4:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Granting all users (or "a select few"??) administrative rights on their own computer systems?? Hi folks..... Sorry if this is a re-hash of a very old subject, but - most of our users do NOT have administrative rights on their computers. A select few (outside of our centralized IT organization) have what are termed "Z accounts" that are separate user accounts that are issued to individuals that essentially provide them with admin rights on their local systems, but - we've been trying to keep these to a minimum. However - now that we are getting more and more update notifications for Adobe, Java, etc - the end user population is demanding more and more access to their systems so that they can do their own updates. Up until now - we have held that we (the IT organization) would assist with any updates or software installations - and do so either at the desktop, or remotely through our Service Desk. We do a lot of remote support via RDP and/or PCAnywhere and/or Altiris Deployment Solution. We're keenly aware of the potential risks that this presents, but - we're being told that we have to pursue this direction - in some manner. From a support perspective, the prevailing belief system is that when we relinquish admin rights to the end users, the field tech workload will swing from "installing updates and software" to "repairing and re-imaging systems".......but, if that's the direction we're told to go, we'll do so without argument.....(personally - I'm not opposed to it at all.....it's more the "support policy" that concerns me.....;-) But, the bottom line is - we have to allow users (either in general, or in a controlled group?), to install their own software - install their own patches (ie, Adobe, Java, etc.). My question is: How do other colleges manage this? Do you give user's admin rights as a matter of course?.....or do you have a means of controlling this? Do you continue to lock down the desktop such that most/all users do not have admin rights?.....or do you allow them to configure their own systems themselves, at their own risk? Without sounding too callous, I *came* from an environment where users *did* have admin rights on their own systems - and for the most part, life was uneventful *except* for the instances where a user would get themselves so twisted up that when they did call for tech support - we basically told them that the 90% solution was to simply re-image their system for them. Data backups were their responsibility - we'd re-image the OS and baseline software - install whatever additional software they could produce proof of licensing for - and re-pointed them to their network data stores......and that was about it. Again - it worked fairly well in a "Fed sector" environment, but I'm not sure how well it would fly in a higher ed environment....?? Sorry this is so long-winded, but - curious to hear how everyone else handles this kind of situation..... Thanks, Michael -- This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean.
Current thread:
- Granting all users (or "a select few"??) administrative rights on their own computer systems?? SCHALIP, MICHAEL (Aug 31)
- Re: Granting all users (or "a select few"??) administrative rights on their own computer systems?? Jeff Moore (Aug 31)
- Re: Granting all users (or "a select few"??) administrative rights on their own computer systems?? Cappalli, Tim G @ LSC-OIT (Aug 31)
- Re: Granting all users (or "a select few"??) administrative rights on their own computer systems?? Shalla, Kevin (Aug 31)
- Re: Granting all users (or "a select few"??) administrative rights on their own computer systems?? Kriss, George N (Aug 31)
- Re: Granting all users (or "a select few"??) administrative rights on their own computer systems?? Schumacher, Adam J. (Sep 01)
- Re: Granting all users (or "a select few"??) administrative rights on their own computer systems?? Chris Green (Sep 05)