> Over half use laptops, and are out in the field more than in an office
Yep, devices move around a lot. Luckily, I'm pretty sure ca.gov has an enterprise agreement with Microsoft which means you can use ConfigMgr and Direct Access to provide support remotely wherever these device happen to be. Traveling to someone's desk should only be required when you need to swap out hardware, not for installing software or drivers. From: [email protected] [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Tuesday, July 28, 2015 5:21 PM To: '[email protected]' <[email protected]> Subject: RE: [mssms] RE: Removing admin rights for users I agree with everything you said. Which is why we went with Viewfinity. For the user adding a printer, the user creates a policy request for installing drivers, etc, and we create a policy to allow them to do so. That policy typically expires a day or two after we create it. Same thing for the GPS software, etc. We have ~3200 users, spread out all across the state. Over half use laptops, and are out in the field more than in an office. (wardens, biologists, etc) So, to ask them to either come into an office, or to meet their "local" field tech can be very cumbersome, and take a long time. With Viewfinity, as long as they have an internet connection, they can request and receive policies. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Robert Schlichting Sent: Tuesday, July 28, 2015 3:01 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] RE: Removing admin rights for users That's a company policy issue.. most admins recommend a company wide policy that says.. NO local admin rights for the vast majority of users.. and then leave room for penciling in exceptions to policy as necessary.. if their job requires it.. then you pencil it in with the caveat that it is revocable should they abuse it to much. Most end users should NOT be allowed to just install whatever they want, whenever they want, but if their job requires it, then deal with them independently. For those users you mention, either they qualify as a local admin.. or you can work with the user to get software installed as needed... or else it's not a job/business requirement, and the answer is usually NO :) (note.. the preceding is just my 2cents, take or leave as you wish, I won't be offended either way! :) ) From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Tuesday, July 28, 2015 3:38 PM To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: RE: [mssms] RE: Removing admin rights for users So, how would you address things like developers, who have MSDN licensing, from install/uninstalling as they need, or a regular user trying to add a local printer, or a user installing software for their GPS device that they just ordered through their program? Not being facetious, asking honestly. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Tuesday, July 28, 2015 11:49 AM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] RE: Removing admin rights for users It's not about blowing something up, it's about preventing malicious activity - intentional or not. If something malicious happens and all of your valuable data is stolen, does it really matter who did it anymore - you're most likely out of business? I dislike Viewfinity and other similar products as they poke holes and change default behaviors that should work. You should not have to resort to something like this IMO. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Tuesday, July 28, 2015 12:38 PM To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: RE: [mssms] RE: Removing admin rights for users We have a policy in our Viewfinity, that allows developers to elevate whenever they need to, just by putting in their credentials. It pretty much gives them pseudo-local admin, but it logs everything they're doing, in Viewfinity, so if they do blow something up, we can go back and figure out what happened. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Andreas Hammarskjöld Sent: Tuesday, July 28, 2015 10:17 AM To: Jason Sandys; [email protected]<mailto:[email protected]> Subject: RE: [mssms] RE: Removing admin rights for users Writing server apps in Visual Studio is very cumbersome without admin rights. Things that require raw sockets, bcd files, backup etc are hard to do without it. Sure you can work and tweak local policies but then its almost better to have them dev:ing on a non prod environment as admin and RDP into it. UAC and VS works well in my experience though. Sent from Outlook Mail<http://go.microsoft.com/fwlink/?LinkId=550987> for Windows 10 From: Jason Sandys Sent: den 28 juli 2015 18:56 To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Removing admin rights for users As a side note, there is no such thing as "power users". They got rid of that in Vista because it was basically no different than a local admin. I concur with Daniel. If there are issues, it's the apps fault - you should not have to do anything special. Sometimes, special things are required though (which means doing some work investigation - it's not magic) but these mainly involve opening file or registry permissions on a limited basis if the app is doing something it shouldn't. ProcMon is the primary tool to discover these as necessary. You can also use LUA Buglight to help identify apps that are doing these bad things: http://blogs.msdn.com/b/aaron_margosis/archive/2015/07/01/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10.aspx<http://cp.mcafee.com/d/2DRPoO921J5xBV54QsK8LCXCQXLCzCWrPXb9JeXVEVKCY-YMrjK-qerFLfII6QXLCzCWrPVEVKrzkxYpQ1gzoD-DP9SSfYKr4r4_Q-peSN_BPvA77hN1Z_HYCUMDsQsEZuVteXbffIIczxNEVWyaqRQRrKfYG7DR8OJMddECSjtPtPo0cwvkzjBq8gVv26rIqM5ltyhHilcSdyszfUDt5_bzIKzxXuBO3p4-h4DcKCnpbC9j9BWdHblzcKXm9sNa25j52XNt4LI42Vyk4aCa5QrY3MYSvaAWqwHa0afBitelbiCXmbqLbCS64nbCMmd96y0QJGQEHgQKCy05zihEw1vGRcOwhd46EaOwq88O8AVQd43JoCy1KDNEro76Mg7HvEJIJb7o>. Also, if you leave UAC enabled (which you absolutely should), then through some virtualization/redirection magic (yes UAC actually is magic) you typically don't have to worry about these bad apps because UAC transparently redirects writes to files and registry values in privileged locations to the user's profile. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Ratliff Sent: Tuesday, July 28, 2015 11:44 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Removing admin rights for users It's generally one way or the other for us. Does the app install for all users? Deploy via SCCM and run as administrator. Does the app install per user/profile based? Deploy via SCCM and run as user. If the app needs to run as the user but requires admin, we sent it back to the vendor/developer to fix it. That's just bad development. Daniel Ratliff From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Beardsley, James Sent: Tuesday, July 28, 2015 12:40 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] Removing admin rights for users I remember reading some of you saying your users do not have admin rights. We are about to start down that road and one of the concerns I have is for application deployment. Most apps can be installed as an administrator so those aren't of any concern but we have several small accounting apps that write to the user profile when installed and I'm wondering how others have handled apps like these. When something is installed as an administrator (which is the local system account, right?), does that still allow licensing info or other files to be written to the users' %appdata%, %localappdata%, or to HKCU? Have you run into any issues deploying software while users are not local admin? Its yet to be determined what rights we'll be giving them (power user vs standard user). I'd be interested in how you have your users set up and how that affects app deployment. Thanks, James Beardsley | Firm Technology Group Dixon Hughes Goodman LLP [cid:8644FC49-D5C9-45AE-B387-04FAFC0CC7A5]<http://cp.mcafee.com/d/k-Kr43qb3bOa9EVshvdTdFTvd7dQTDSmjqtTPhPtdVZVwSDtYQsTjuvpodFTvd7dQTDPhPsT6F3UPE2x6NfZfCjJIvVsS8S9_FYOtJz_bC_8eezy3X_nVdNxeVEVhWZOWtSmuvpop73zhPR4kRHFGTsvVkffGhBrwqrjdICXCXCM0i1cyuuJO-6PVkDjk5pg1hYGjFOFqkTqNrlVsSMMyVsS2NF8Qg6BJmB5q6BQQg0Iqid40bZmFCk29EwR1mk3h16h4DexEwtH4QgdQ-d3r0UT-XvgnDn> ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation. The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information.
