Agreed. :) They have standard workstations which are locked down, but dev workstations where they are all powerful -- and confined to their own segment. Any issues arising from that segment, and their segment is cut off... :)
============================================================== ASB - http://www.ultratech-llc.com/KB/?File=~MoreInfo.TXT ============================================================== "Beware of a false sense of activity -- i.e., you're too busy to go to the bathroom but you're not sure what all of your work will add up to." >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Stefano >Sent: Friday, March 22, 2002 12:45 PM >To: NT 2000 Discussions >Subject: RE: Administrative rights > > >I put dev people in their own DMZ. Who cares if they can >access the tools to damage something if the network won't >allow it through :) > > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of Szlucha, Chris >Sent: Friday, March 22, 2002 12:51 PM >To: NT 2000 Discussions >Subject: RE: Administrative rights > > >I don't know if this makes any difference, but in a past >workplace, we created a second account for users who >absolutely needed admin rights on a machine and suffixed the >name with ADM, but the users with these accounts could only >use them for the installation process or to perform whatever >function they needed then they had to log out and use their >regular user account for the rest of the time. This was >monitored very closely by our security folks, and anyone who >logged into the ADM account first thing and stayed in all day >or for a longer than needed time was spoken to by management. > >Face it, fighting development folks is extremely difficult if >not impossible. Sometimes, as hard as it is, compromise is >the only way. > >If someone has other ideas, I'd love to hear them also, as >this is a sticky wicket. > >-Chris > >-----Original Message----- >From: Wes Owen [mailto:[EMAIL PROTECTED]] >Sent: Friday, March 22, 2002 12:39 PM >To: NT 2000 Discussions >Subject: RE: Administrative rights > >Yes we have AD in place and have been using it. We will be >implementing for several GP's as we roll out XP. Our servers >are W2K which is what we have been limited to in the past as >our clients are all NT 4.0. > >-----Original Message----- >From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] >Sent: Friday, March 22, 2002 11:36 AM >To: NT 2000 Discussions >Subject: RE: Administrative rights > > >Are you / Will you be using AD ? > > > > > >Joshua Morgan >PH: (864) 250-1350 Ext 133 >Fax: (413) 581-4936 >[EMAIL PROTECTED] > > > >-----Original Message----- >From: Wes Owen [mailto:[EMAIL PROTECTED]] >Sent: Friday, March 22, 2002 12:28 PM >To: NT 2000 Discussions >Subject: RE: Administrative rights > > >That is my opinion also, but when it is the application used >by your company to write checks and they don't have a >replacement you are pretty much screwed. > >-----Original Message----- >From: Szlucha, Chris [mailto:[EMAIL PROTECTED]] >Sent: Friday, March 22, 2002 11:26 AM >To: NT 2000 Discussions >Subject: RE: Administrative rights > > >Well, that's an very poorly written piece of software you're >using if it REQUIRES admin rights to run, and it's just a >regular user app. IMHO, I'd find something else that's >written properly. > >-----Original Message----- >From: Wes Owen [mailto:[EMAIL PROTECTED]] >Sent: Friday, March 22, 2002 12:23 PM >To: NT 2000 Discussions >Subject: RE: Administrative rights > >The problem is we do not want them installing their own stuff, >but the app is insisting on admin rights just to run, or you >have to open things up so much as to make taking away the >rights ineffective. > >-----Original Message----- >From: Woods, Tony G AG:EX [mailto:[EMAIL PROTECTED]] >Sent: Friday, March 22, 2002 11:02 AM >To: NT 2000 Discussions >Subject: RE: Administrative rights > > >I'm quite surprised some of you guys even allow users to >install stuff on their own. Our support staff install all >software if a user needs it to do their job. Running XP, we've >had to be quite inventive to get some software running >properly without bumping up their rights on the local box. For >the most part, the Compatibility Wizard has been a gem. If >that doesn't work, opening rights within the program files or >the directory it installed to or the registry have saved us. >Granted there are the guy/gals that need local Admin rights >because they're an Oracle DBA or whatever but for the most >part, a user is just that, a user. > >My $.02 CDN ;-( > >Cheers, >Tony > >-----Original Message----- >From: Ron Jameson [mailto:[EMAIL PROTECTED]] >Sent: Friday, March 22, 2002 8:42 AM >To: NT 2000 Discussions >Subject: RE: Administrative rights > > >We here (in-house and with clients) are battling the same >problem. We encounter many of programs that want an admin to >install (ok, the RUNAS >works) but an admin to use the damn thing!!! These >programmers are nuts if they think we are going to give admin >rights to everyone. I end up using regmon to find out what >the program is using in the registry and give full rights to >that part of it (at least for server based programs). Local >based issues I am still trying to find a way to cure it as you >are. Power users group does not always work. Grrr. > >Ron Jameson >James Hamlin Consulting. > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of Wes Owen >Sent: Friday, March 22, 2002 10:20 AM >To: NT 2000 Discussions >Subject: RE: Administrative rights > > > >Ok here is a specific. > >3/22/02 Create-A-Check requires full permissions to the >following registry keys be granted to the user in order for it >to work: H_KEY_LOCAL_MACHINE -SOFTWARE > -Borland > -CAC > -Create-A-Check, Inc. > Microsoft > Windows and/or Windows NT (NT/2000) (make sure rights >are granted for all noted subdirectories) > Current Version > - Setup > Install Extra >User also needs full control to the c:\Program Files\Common >Files\Borland Shared\ and the subdirectories. User also needs >to be granted full control to the network directory where >Create-A-Check is installed, and all of the subdirectories. > >So if we open up the Setup key to everyone that pretty much >kills much of the reason for removing the admin rights. I am >curious how many more apps we are going to run into the behave >like this. We have only tested around 75 of 600 applications >to be tested. > >-----Original Message----- >From: Ed Esgro [mailto:[EMAIL PROTECTED]] >Sent: Friday, March 22, 2002 10:15 AM >To: NT 2000 Discussions >Subject: RE: Administrative rights > > >When you say the applications need admin rights to run. I >think you may want to be more specific about that. Admin >rights include a lot of user rights. For example; Act as part >of operating system. Add workstations to domain. Force >shutdown from remote system. > >So Admin rights are just way too powerful. You should try to >find out what the application needs to function properly. >Admin rights, is like saying you need an airplane to get from >Florida to NY, but you could really accomplish that by taking >a bus or driving a car or walking. As far as installing >applications, I would not empower anyone with this right. Just >causes tons of problems down the road. Before you know it, you >have Bonzi Buddy on all of your damn workstations. > >-----Original Message----- >From: Wes Owen [mailto:[EMAIL PROTECTED]] >Sent: Friday, March 22, 2002 10:46 AM >To: NT 2000 Discussions >Subject: Administrative rights > >How many out there do not allow administrative rights on the >client systems? > >We are attempting to put all users into the Power Users group >and I am sure you can imagine the stir it is creating. There >are applications that require admin rights not only to >install, but also to run. One of the manufacturers fix was to >grant full rights to the Setup key, kinda defeats the purpose >don't you think? > >If you do not put users in the administrative groups do you >make exceptions for support and development staff? Do you use >administrative accounts and only give support persons rights >on admin accounts or do you give their user account all the rights? > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.338 / Virus Database: 189 - Release Date: 3/14/2002 ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
