Admin Level Rights on Staff PCs?
Posted on April 18, 2008
Filed Under Future of Libraries, Open Access | Tags freedom, PC, security, trust
I am looking for examples of libraries that DON’T lock down their staff PCs… libraries that provide power/super-user/admin level rights for staff. We will be re-doing our staff PC profiles later on this year, and I want to give our staff as much freedom as possible.
So - who’s doing it or has done it, has it been successful, etc… Any takers?
Comments
24 Responses to “Admin Level Rights on Staff PCs?”
Leave a Reply
RSS Feed
We have admin rights on our staff computers. I don’t *know* of any problems it’s caused, but I’m not in IT. Happy to discuss further if you want!
We provide full local admin rights on our Windows XP computers for staff. The only locked-down computers are the two at the Circ desk, which have local admin rights but are also locked down by running Centurion Technologies’ Drive Shield (so they can do anything they want but it all gets reset on reboot). We did this because the student assistants kept contaminating them with malware. Otherwise the staff are on strict instructions not to install anything, not toolbars, not cute video screen savers, nothing, without seeing me (the systems librarian) first. And they mostly seem to comply - I haven’t had a serious problem in years. I feel that my part of the bargain is to then give them permission to install anything that I know to be benign even if it’s not work-related, like iTunes, etc. My approach is that I’m not interested in policing what they do, just in making sure they don’t out of ignorance ruin their computer, and they appreciate that. I’ve warned them that if they mess up their computer by installing something bad without permission, it might take me a long time to get around to fixing it, and that’s a threat with teeth! Anything else is between them and their supervisor. We are also running the enterprise/corporate editions of Symantec Antivirus and Webroot Antispyware. We’re a relatively small library with 13 total library employees.
Jack Tarver-Mercer U. gives staff admin rights. It makes it much easier to make sure stuff gets updated. I think only a couple of people don’t have rights and its much better that they don’t. Haven’t had any problems that I know of
Library staff a my library have admin rights, and I don’t know of any problems it’s caused. Student worker computers used to grant admin rights to student workers, and some still do, I think, but those computers caused problems pretty regularly for our IT guy.
At the last place I worked - SWOSU Al Harris Library all staff had super user rights on their own machine - but the ref desk machine was locked down like crazy.
We have our staff computers set up as power users and that seems to allow for most things. We still have to go install software for people in most cases but we are working on using SMS to make that easier because you can elevate the rights of the user for each install.
On the public computers/ref desk/etc. I have them locked down as local user access only because I like the power trip..
So far it’s only caused a few minor problems, such as flash updating and weird USB drive issues. I wouldn’t want to see staff run at that level because it would be a pain.
If you are feeling up to it you can do local admin rights but then use group policy settings to lock down certain things and allow others. It really just depends on what your domain setup is.
We have allowed admin level rights to staff as long as I have been working at the library. It really has not been a problem for us. In fact we find that it is the best way to run Millennium. We also run thin clients and those are of course locked down pretty tight. If you are considering giving staff more freedom, I can say that, at least from my experience, you should not have too many problems.
[...] Admin Level Rights on Staff PCs? [...]
At the University of Michigan, staff have admin rights on their computers, and the public and reference computers are locked down. Reading the other comments, it sounds like this is pretty common. Like other non-IT commenters, I don’t know if this has caused any problems, but there seems to be no move to make a change.
From a regular person perspective, I will say that I love being able to install toolbars and widgets and software without having to bother our very busy desktop support staff. I think having that level of control is empowering, especially if you want to encourage staff to experiment.
[...] Admin Level Rights on Staff PCs? [...]
MPOW gives us full rights (or at least full enough that I’ve never been stopped). It’s excellent service and encourages us to use/explore widgets and tools.
MPOW uses a hybrid, I believe. I don’t ask questions, since I’m granted full admin on my machine, as are other “safe” users–i.e.- those with heavy IT backgrounds. I believe most staff are power users.
Here at the State Library of Kansas, most of our staff have full local admin rights. There are a few who only have limited access, but it’s for their own protection and we will install anything they want. To my knowledge there has yet to be a situation where permanent harm has been caused to a computer by this policy. We have a very informal policy about installing software…mostly people just ask if certain software will hurt their machine before they install it.
We allow all staff to have admin rights on their computers. There are a few that I wish didn’t have these rights, but as we tell them, if they mess up their computer, don’t expect us to come running to fix it right away. I think there would be a real mutiny if we were to take away admin rights for staff. Our public computers are completely locked down. We only have shortcuts on the desktop for the few programs we allow (MS Office, Public Web Browser, Scanning, CD, Flash and Floppy drives.)
[...] Admin Level Rights on Staff PCs? [...]
[...] Admin Level Rights on Staff PCs? [...]
We don’t give staff full admin rights, but they’re usually able to install software without any problems. Staff hopefully know that they’re responsible for what they install and they have to abide by the IT policy. If they screw up the PC, then it’ll get reimaged back to the default staff image (so they’ll lose any customisations they;ve made).
The only problems have been due to spyware/adware getting installed, or when they’ve been stupid enough to let students use their PC without supervision.
At MRRL admin rights are on a case by case basis. Most managers have admin rights on their machines and others do not. This happened about 6 months ago or so with a new IT manager, before that no one had admin rights on their machine. It was a huge hassle to get anything installed, even del.icio.us. My 2 cents would be to allow it on most machines, but I’m not in IT.
As part of a 30 library consortium with centralized IT support, we are all given full admin rights to our computers. Whether you are in a library serving a community of 500 people or that serving 60,000+, every staff member has admin rights.
And IT WORKS! I’m a huge proponent of trusting staff and allowing non-tech people to experiment and make their computers their own. How else are they going to learn? They aren’t if the computers are locked to everything or they have to run their programs past the computer police. Open access works for our staff and for the staff of all of the other libraries in our system.
And just so you know I’m not seeing this only from the library director point of view, my husband is the network admin for the system and he is very proud and enthusiastic about the admin level access they offer.
I’m the network admin (and husband) of the poster “Tasha” above. Yes, all staff PCs are wide open, everyone has full local admin rights from pages to directors.
My only limit is that users are not to install server software without telling me first. There was one incident where a staff member installed Apache/MySQL/Perl on a desktop PC and I did have to put a stop to that (he wasn’t patching it properly).
Of course, by “put a stop to that” I mean I set him up with our Linux admin to have access to everything he needed and migrated his project over to one of our linux servers.
Yes, people occasionally trash a machine. It’s very rare, but when it happens we just fix it and move on. Yes, occasionally I have to have a chat with someone about bandwidth (and bittorrent). No, no one has taken down the network. Yes, we’ve been hacked, but it wasn’t the result of staff PCs being unlocked, that linux server wasn’t configured properly and it was hijacked over the internet. Fixed that, hasn’t happened since, no harm done, no data lost.
Users are encouraged to run Windows, but there are Macs and Linux PCs as well.
In the library system I work for we also allow people to connect any PC they want to the network (staff AND public, though that required some clever work), have wide open wireless at all libraries, for 90% of the libraries that wireless cost them a one-time fee of $60 (to cover the cost of equipment), and I usually never discuss this sort of thing because whenever I do I’m told that I’m nuts for allowing such anarchy.
Unfortunately, lay people do not understand and tend to argue with me and it takes way too long to educate them on why they are wrong, but it really does work, people are very happy, and if your admin knows what they are doing it’s quite a safe and hacker free way to run a network.
I think it actually works in my favor that I’m somewhat paranoid. But instead of being ‘typical’ paranoid and not allowing anything, I’ve done a lot of research and know what I’m up against (Bruce Schneier is awesome, btw, “Secrets & Lies” should be required reading for an admin). By understanding the real risks associated with what I’m doing, it allows me to take defensive steps that protect the network as a whole (and my servers!) without forcing people to live in the digital equivalent of a police state.
Staff don’t generally run as admins. Permissions are case by case. Since our policy doesn’t allow for installation of programs without my prior approval, there isn’t really any need to give full admin rights. It has helped with spyware prevention too.
When I first started most computers were running as admins and it was a lot of work to clean/fix computers. Now we’re up 100% of the time, with only a few computers that I have to work on at a time. Some departments are harder on computers then others.
[...] Admin Level Rights on Staff PCs? [...]
[...] Admin Level Rights on Staff PCs? [...]
My library allows staff to install plugins, toolbars, firefox etc, I guess that makes us power users. As someone mentioned above I think this is crucial if you want staff to experiment and learn. Our public PCs are pretty locked down, and some staff have mistakenly for years had the impression that they shouldn’t download anything on their workstations.
We’re currently in the midst of a Learning 2.0 program. I’m one of the admins for the program so I’m contacted whenever staff encounter a problem, and I’ve noticed that those staff with the most reluctance to download anything are the same ones encoutering the most problems learning these 2.0 tools. No real surprise there.
Granting admin rights and encouraging staff to play and experiment is crucial when it comes to adding new services like downloadable audiobooks. Frontline staff are the ones with the best opportunity to promote a new service like this, but to do that they have to understand it. And there really is no better way for them to get comfortable with these tools than to go through the whole process of installing software and downloading books.
I’ve demo’d these downloads for over two years and every time I have to reiterate that its okay for them to download and install the software. My hope is that at the end of the Learning 2.0 program this won’t be so big hurdle.
As far as problems go, I’ve haven’t heard of anything catastrophic happening in all the years I’ve been here. How big a headache this is on a day to day basis for IT I don’t know.
I’m firmly of the opinion that its crucial for staff to have admin rights so they’ll continue to learn the tools our patrons are using, and needing help with. Improving customer service is going to be one of the areas the library will focus on over the next five years, having knowledgeable tech savvy staff on the frontlines is a huge part of reaching that goal.