Admin Level Rights on Staff PCs?

We have admin rights on our staff computers. I don’t *know* of any problems it’s caused, but I’m not in IT. Happy to discuss further if you want!

We provide full local admin rights on our Windows XP computers for staff. The only locked-down computers are the two at the Circ desk, which have local admin rights but are also locked down by running Centurion Technologies’ Drive Shield (so they can do anything they want but it all gets reset on reboot). We did this because the student assistants kept contaminating them with malware. Otherwise the staff are on strict instructions not to install anything, not toolbars, not cute video screen savers, nothing, without seeing me (the systems librarian) first. And they mostly seem to comply – I haven’t had a serious problem in years. I feel that my part of the bargain is to then give them permission to install anything that I know to be benign even if it’s not work-related, like iTunes, etc. My approach is that I’m not interested in policing what they do, just in making sure they don’t out of ignorance ruin their computer, and they appreciate that. I’ve warned them that if they mess up their computer by installing something bad without permission, it might take me a long time to get around to fixing it, and that’s a threat with teeth! Anything else is between them and their supervisor. We are also running the enterprise/corporate editions of Symantec Antivirus and Webroot Antispyware. We’re a relatively small library with 13 total library employees.

Jack Tarver-Mercer U. gives staff admin rights. It makes it much easier to make sure stuff gets updated. I think only a couple of people don’t have rights and its much better that they don’t. Haven’t had any problems that I know of

Library staff a my library have admin rights, and I don’t know of any problems it’s caused. Student worker computers used to grant admin rights to student workers, and some still do, I think, but those computers caused problems pretty regularly for our IT guy.

At the last place I worked – SWOSU Al Harris Library all staff had super user rights on their own machine – but the ref desk machine was locked down like crazy.

We have our staff computers set up as power users and that seems to allow for most things. We still have to go install software for people in most cases but we are working on using SMS to make that easier because you can elevate the rights of the user for each install.

On the public computers/ref desk/etc. I have them locked down as local user access only because I like the power trip.. So far it’s only caused a few minor problems, such as flash updating and weird USB drive issues. I wouldn’t want to see staff run at that level because it would be a pain.

If you are feeling up to it you can do local admin rights but then use group policy settings to lock down certain things and allow others. It really just depends on what your domain setup is.

We have allowed admin level rights to staff as long as I have been working at the library. It really has not been a problem for us. In fact we find that it is the best way to run Millennium. We also run thin clients and those are of course locked down pretty tight. If you are considering giving staff more freedom, I can say that, at least from my experience, you should not have too many problems.

At the University of Michigan, staff have admin rights on their computers, and the public and reference computers are locked down. Reading the other comments, it sounds like this is pretty common. Like other non-IT commenters, I don’t know if this has caused any problems, but there seems to be no move to make a change.

From a regular person perspective, I will say that I love being able to install toolbars and widgets and software without having to bother our very busy desktop support staff. I think having that level of control is empowering, especially if you want to encourage staff to experiment.

MPOW gives us full rights (or at least full enough that I’ve never been stopped). It’s excellent service and encourages us to use/explore widgets and tools.

MPOW uses a hybrid, I believe. I don’t ask questions, since I’m granted full admin on my machine, as are other “safe” users–i.e.- those with heavy IT backgrounds. I believe most staff are power users.

Here at the State Library of Kansas, most of our staff have full local admin rights. There are a few who only have limited access, but it’s for their own protection and we will install anything they want. To my knowledge there has yet to be a situation where permanent harm has been caused to a computer by this policy. We have a very informal policy about installing software…mostly people just ask if certain software will hurt their machine before they install it.

We allow all staff to have admin rights on their computers. There are a few that I wish didn’t have these rights, but as we tell them, if they mess up their computer, don’t expect us to come running to fix it right away. I think there would be a real mutiny if we were to take away admin rights for staff. Our public computers are completely locked down. We only have shortcuts on the desktop for the few programs we allow (MS Office, Public Web Browser, Scanning, CD, Flash and Floppy drives.)

We don’t give staff full admin rights, but they’re usually able to install software without any problems. Staff hopefully know that they’re responsible for what they install and they have to abide by the IT policy. If they screw up the PC, then it’ll get reimaged back to the default staff image (so they’ll lose any customisations they;ve made).

The only problems have been due to spyware/adware getting installed, or when they’ve been stupid enough to let students use their PC without supervision.

At MRRL admin rights are on a case by case basis. Most managers have admin rights on their machines and others do not. This happened about 6 months ago or so with a new IT manager, before that no one had admin rights on their machine. It was a huge hassle to get anything installed, even del.icio.us. My 2 cents would be to allow it on most machines, but I’m not in IT.

As part of a 30 library consortium with centralized IT support, we are all given full admin rights to our computers. Whether you are in a library serving a community of 500 people or that serving 60,000+, every staff member has admin rights.

And IT WORKS! I’m a huge proponent of trusting staff and allowing non-tech people to experiment and make their computers their own. How else are they going to learn? They aren’t if the computers are locked to everything or they have to run their programs past the computer police. Open access works for our staff and for the staff of all of the other libraries in our system.

And just so you know I’m not seeing this only from the library director point of view, my husband is the network admin for the system and he is very proud and enthusiastic about the admin level access they offer.

I’m the network admin (and husband) of the poster “Tasha” above. Yes, all staff PCs are wide open, everyone has full local admin rights from pages to directors.

My only limit is that users are not to install server software without telling me first. There was one incident where a staff member installed Apache/MySQL/Perl on a desktop PC and I did have to put a stop to that (he wasn’t patching it properly).

Of course, by “put a stop to that” I mean I set him up with our Linux admin to have access to everything he needed and migrated his project over to one of our linux servers.

Yes, people occasionally trash a machine. It’s very rare, but when it happens we just fix it and move on. Yes, occasionally I have to have a chat with someone about bandwidth (and bittorrent). No, no one has taken down the network. Yes, we’ve been hacked, but it wasn’t the result of staff PCs being unlocked, that linux server wasn’t configured properly and it was hijacked over the internet. Fixed that, hasn’t happened since, no harm done, no data lost.

Users are encouraged to run Windows, but there are Macs and Linux PCs as well.

In the library system I work for we also allow people to connect any PC they want to the network (staff AND public, though that required some clever work), have wide open wireless at all libraries, for 90% of the libraries that wireless cost them a one-time fee of $60 (to cover the cost of equipment), and I usually never discuss this sort of thing because whenever I do I’m told that I’m nuts for allowing such anarchy.

Unfortunately, lay people do not understand and tend to argue with me and it takes way too long to educate them on why they are wrong, but it really does work, people are very happy, and if your admin knows what they are doing it’s quite a safe and hacker free way to run a network.

I think it actually works in my favor that I’m somewhat paranoid. But instead of being ‘typical’ paranoid and not allowing anything, I’ve done a lot of research and know what I’m up against (Bruce Schneier is awesome, btw, “Secrets & Lies” should be required reading for an admin). By understanding the real risks associated with what I’m doing, it allows me to take defensive steps that protect the network as a whole (and my servers!) without forcing people to live in the digital equivalent of a police state.

Staff don’t generally run as admins. Permissions are case by case. Since our policy doesn’t allow for installation of programs without my prior approval, there isn’t really any need to give full admin rights. It has helped with spyware prevention too.

When I first started most computers were running as admins and it was a lot of work to clean/fix computers. Now we’re up 100% of the time, with only a few computers that I have to work on at a time. Some departments are harder on computers then others.

My library allows staff to install plugins, toolbars, firefox etc, I guess that makes us power users. As someone mentioned above I think this is crucial if you want staff to experiment and learn. Our public PCs are pretty locked down, and some staff have mistakenly for years had the impression that they shouldn’t download anything on their workstations.

We’re currently in the midst of a Learning 2.0 program. I’m one of the admins for the program so I’m contacted whenever staff encounter a problem, and I’ve noticed that those staff with the most reluctance to download anything are the same ones encoutering the most problems learning these 2.0 tools. No real surprise there.

Granting admin rights and encouraging staff to play and experiment is crucial when it comes to adding new services like downloadable audiobooks. Frontline staff are the ones with the best opportunity to promote a new service like this, but to do that they have to understand it. And there really is no better way for them to get comfortable with these tools than to go through the whole process of installing software and downloading books.

I’ve demo’d these downloads for over two years and every time I have to reiterate that its okay for them to download and install the software. My hope is that at the end of the Learning 2.0 program this won’t be so big hurdle.

As far as problems go, I’ve haven’t heard of anything catastrophic happening in all the years I’ve been here. How big a headache this is on a day to day basis for IT I don’t know.

I’m firmly of the opinion that its crucial for staff to have admin rights so they’ll continue to learn the tools our patrons are using, and needing help with. Improving customer service is going to be one of the areas the library will focus on over the next five years, having knowledgeable tech savvy staff on the frontlines is a huge part of reaching that goal.

We (Howard County Library) actually made all staff PCs have admin level rights about a year ago. We’ve seen little to no abuse of this. Makes things a lot easier for IT. Of course now that we are moving everyone to Linux (Ubuntu) it will be even easier but again we’ll let they have admin level. The sad commentary is most of the staff wouldn’t know how to mess up their machines if they tried (so making them admin didn’t cause a problem). The few that do know how don’t because they are savvy enough to not screw things up.

Hi,

I have worked in IT support for over 12 years and have covered 1st, 2nd and 3rd line support..

Before you go ahead and give everyone local admin rights, please think about some of the implications. Your company (not the user) are responsible for the software licenses put onto company machines so you will have to make sure you have some kind of auditing software.

Also you are basically giving the user rights to install and uninstall anything on there machine. Also it’s not just there machine they can affect. If the machine is on the network you could be facing real trouble. Please think about the possibility of Malware – Trojan Horses, Worms, Adware, Spyware, keyloggers and lots more.

I know that it seems like a hassle to install software on machine but if you have the right IT support everything can be installed centrally for example if you are Using Win 2k server or above you can push out software through AD or even other packages like SMS and it is quicker than going to several machine locally and installing it.

It is easy to give local admin rights out to everybody but if I was working in your company with local admin rights I don’t think it would take me half a day before I had access to your servers.

I hope this kind of heped and if you have any questions, please do not hesitate to ask me.

Hi Dale – thanks for your comments.

I certainly can’t speak for all libraries – but the libraries I’ve worked for have all had some way to do auditing. But that’s beside the point – the software that I’m talking about isn’t purchased, proprietary software, for the most part. It’s the newer free, open source software that is in such heavy use for web workers (and I consider ALL library staff to be web workers these days). Software like Audacity, the flickr uploadr, Second Life, Firefox, etc, etc, etc. Combine that with other free apps like flash and quicktime viewers – all these are free to use… but do frequent updates.

Yes – the model shown in the comments to this post definitely allows users to install and uninstall software. In the library world, we consider our co-workers to be professionals, to be computer-literate… and to know how to do this type of stuff.

Malware/spyware/etc – certainly a problem. Mostly, those attack individual PCs, in which case that one PC would be down until IT fixed it. That’s a trade-off, but a small one. Considering that we (hopefully most libraries) have enterprise-level anti-spam/anti-virus software, I don’t see this as a big concern.

It’s a trade-off, but well worth it. The downside? Potential for a couple of staff members to kill their PCs (which can easily be re-imaged, the staff can be trained to not do whatever they did again, etc – ultimately a positive thing for all concerned). The upside? Freedom for IT staff to do other, more important things… freedom for library staff to learn, to pursue ideas without waiting for IT, etc. In my book, the upside wins!

And – I seriously doubt you could get into our servers in half a day. At the least, you’re forgetting passwords, network-level access, etc. But again, that’s beside the point. If a staff member were trying to gain access to something they knew they weren’t supposed to get into… that’s a problem with ONE EMPLOYEE. It should be dealt with via managers and HR. NOT by blocking all staff.

Hope that helps explain this perspective – I know it’s a new one!

Hi,

If you want to be able to install applications on PCs without users having administator rights, you might want to check this out http://www.x-install.com.
Normally you have to be administrator to install .msi files locally, you can
not use “run as”. x-install handles this beatifully.