Re: Granting all users (or "a select few"??) administrative rights on their own computer systems??

["Schumacher, Adam J." <adamschumacher () CREIGHTON EDU>]

We are actually moving away from letting users have admin access on their computers.  It has been a very painful 
process both politically and technically.  BUT, consider the following:


  1.  We have the tools to remotely deploy updates to applications as they are released (Landesk in our case, others 
have similar tools like Altirus).  This allows IT to test patches against the systems that users use (Banner, 
Blackboard, email, etc) before releasing them.  Java is one that is often very picky about version compatibility.
  2.  Speaking of testing, how does one do any kind of worthwhile test when there is no standardization in the 
environment?  If users can make any modifications they want to the system at their whim, you can’t be sure whatever new 
software you want to deploy or upgrade /patch is going to work with configurations you don’t even know about.  This is 
tough.  You may have 5 or 10 (more?) different standards you have to maintain given that different areas have different 
needs.  The benefit though, is that you have a much higher confidence when you’ve tested against those 10 different 
standards that things will work.
  3.  Others have already mentioned this but when you let users “manage” their machines, your support focus changes 
from preventative maintenance and known, planned changes (as you install and update software) to fixing broken and 
infected machines and fighting “fires”.  Personally, I’d rather be able to be proactive and avoid the uncontrolled 
downtime from unplanned issues.
  4.  Everyone here I’m sure is aware of the “principle of least privilege”.  What does a user need to do his or her 
job?  Of course, that answer may vary based on how your IT infrastructure is implemented, but I’m willing to bet 
“installing and patching software” is not in many of your (non-IT) staff members’ job descriptions... :)

sha1(

Adam Schumacher [MS] [MBA]
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!

402-280-2383
402-672-1732

)

= d6f7869d563ef99ad47a5ae03e94c76ead328935




On 8/31/12 3:21 PM, "SCHALIP, MICHAEL" <mschalip () CNM EDU> wrote:

Hi folks…..

Sorry if this is a re-hash of a very old subject, but – most of our users do NOT have administrative rights on their 
computers.  A select few (outside of our centralized IT organization) have what are termed “Z accounts” that are 
separate user accounts that are issued to individuals that essentially provide them with admin rights on their local 
systems, but – we’ve been trying to keep these to a minimum.  However – now that we are getting more and more update 
notifications for Adobe, Java, etc – the end user population is demanding more and more access to their systems so that 
they can do their own updates.  Up until now – we have held that we (the IT organization) would assist with any updates 
or software installations – and do so either at the desktop, or remotely through our Service Desk.  We do a lot of 
remote support via RDP and/or PCAnywhere and/or Altiris Deployment Solution.

We’re keenly aware of the potential risks that this presents, but – we’re being told that we have to pursue this 
direction – in some manner.  From a support perspective, the prevailing belief system is that when we relinquish admin 
rights to the end users, the field tech workload will swing from “installing updates and software” to “repairing and 
re-imaging systems”…….but, if that’s the direction we’re told to go, we’ll do so without argument…..(personally – I’m 
not opposed to it at all…..it’s more the “support policy” that concerns me…..;-)

But, the bottom line is – we have to allow users (either in general, or in a controlled group?), to install their own 
software – install their own patches (ie, Adobe, Java, etc.).

My question is:  How do other colleges manage this?  Do you give user’s admin rights as a matter of course?.....or do 
you have a means of controlling this?  Do you continue to lock down the desktop such that most/all users do not have 
admin rights?.....or do you allow them to configure their own systems themselves, at their own risk?

Without sounding too callous, I *came* from an environment where users *did* have admin rights on their own systems – 
and for the most part, life was uneventful *except* for the instances where a user would get themselves so twisted up 
that when they did call for tech support – we basically told them that the 90% solution was to simply re-image their 
system for them.  Data backups were their responsibility – we’d re-image the OS and baseline software – install 
whatever additional software they could produce proof of licensing for – and re-pointed them to their network data 
stores……and that was about it.  Again – it worked fairly well in a “Fed sector” environment, but I’m not sure how well 
it would fly in a higher ed environment….??

Sorry this is so long-winded, but – curious to hear how everyone else handles this kind of situation…..

Thanks,

Michael