≡ Menu
David Lee King

Admin Level Rights on Staff PCs?



I am looking for examples of libraries that DON’T lock down their staff PCs… libraries that provide power/super-user/admin level rights for staff. We will be re-doing our staff PC profiles later on this year, and I want to give our staff as much freedom as possible.

So – who’s doing it or has done it, has it been successful, etc… Any takers?

Comments on this entry are closed.

  • Costar

    I would not give users admin rights. We had that before and we had lots of poblems. Users just downloaded all kinds of shi. from Inet.
    Installed it as they wanted. So we had to reinstall lots of them.

    Ill have a look at it Bill.

  • http://- Costar

    I would not give users admin rights. We had that before and we had lots of poblems. Users just downloaded all kinds of shi. from Inet.
    Installed it as they wanted. So we had to reinstall lots of them.

    Ill have a look at it Bill.

  • Bob

    What scares me about this whole blog is the complete misunderstanding people have of what network security really means. Anybody who gives full admin rights to everybody on a network is handing each and every user a loaded gun to play with. Users will by their very nature click on things they shouldn't or get tricked into clicking things, and with today’s sophisticated attacks, an untrained eye can easily be installing malware/virus/keyloggers before they know it. Once 1 machine is infected, it can snowball. “Blah blah blah… empower users with admin rights” is the biggest load of lazy network management I have ever heard, no company/public service that values its servers/pc's should allow unrestricted admin rights without locking it down somehow. Its lazy management to just say “have full admin rights” and then nobody moans and you are the good guy….. well that is until it all falls down and you spend weeks clearing crap from everybody’s machines, interruption to service and never really knowing whether you have really removed all the malware. I would suggest to anybody who takes the approach of “full admin rights is a good idea”, should not be let anywhere near a networked computer. Consider the licensing issues alone and it should scare you into having some control on what people install. Bryan who posted above, his comments and in particular “and if your admin knows what they are doing it's quite a safe and hacker free way to run a network” had everybody in my office laughing themselves silly. I for one would never plug any laptop of mine into any network run by that guy.

  • http://www.davidleeking.com davidleeking

    Bob – everything you just mentioned can easily be dealt with by installing enterprise-level anti-virus software, setting up profiles correctly, etc. If you can't, you're a bad network admin, simply stated.

    What's licensing have to do with admin-level or higher-level rights on an individual PC? Not getting that point.

  • Ben

    Ok, obviously you don’t deal with being licensed properly. What happens when people download and install software which is free for personal use, but not commercial or public sector? Liability is on the PC owner. Enterprise level anti-virus does not catch anywhere near as many malware/virus as people think, especially when its just released into the wild, relying on this is bad management, whole networks can be infected very quickly. Have you never heard of products such as Avecto privilege guard for example. They can allow you granular control over which programs get installed, run with elevated privilages, updaters can be run with raised privileges so no prompts, etc. You do not have to give everybody Admin rights full stop. Its lazy, badly managed IT departments which take the easy option because they do not know any better, seen it time after time. An admin is just that, no amount of profiling etc is going to stop someone doing damage at that level.

  • http://www.davidleeking.com davidleeking

    Hi Bob – nice to see you again! Remember – this was over 2 years ago… we ended up going with a hybrid approach, so staff can install things like Flash updates themselves (we were locked down WAY to tight before I started here), and other stuff, once approved, we push out to staff.

    I would counter your “lazy, badly managed IT departments” statement with the opposite end – it’s also lazy IT management when everything is locked down to the point of silliness. I have seen THAT time after time.

    There’s a lovely middle ground here – that’s where IT depts should be.

  • Bob

    So basically you did exactely what I said. Had no full admin rights, but allowed updates and approved software. I always said total access was a joke. Hybrid basically means you locked it down, then allowed essential stuff, exactely how I run things. Control without being big brother…..just like I said…

  • http://www.davidleeking.com davidleeking

    Well, you didn’t actually suggest anything. You just said “Anybody who gives full admin rights to everybody on a network is handing each and every user a loaded gun to play with,” then went off on all the bad things users would supposedly do.

    Just sayin.