I work in the banking environment and IT does all installs. We don't let users install anything. Software licensing is too dangerous to trust the user to know if there is a license or not and if it is valid for us. Now a days there are a lot of products out to allow control of patching, deployment, and upgrades. There is no reason for users to have admin rights. Jon From: [email protected] To: [email protected] Subject: RE: [NTSysADM] RE: Local Administrators on computers Date: Fri, 27 Mar 2015 01:18:53 +0000
You have 7000 staff in your org? Or 7000 staff and students? I can’t see how your model would work in Accenture, or HP, or any big bank, or any large software house – the range of activities undertaken by staff are far too diverse, and the range of software also far too diverse. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Friday, 27 March 2015 11:59 AM To: [email protected] Subject: RE: [NTSysADM] RE: Local Administrators on computers My org is 7000. I found that when I fix an issue for one user it applies to 500. When they want a software item a boatload of them want it, they each don't want a different item. So it does scale to large orgs. I also find I have more time to find these fixes, and help them find new solutions because I am not cleaning up their mess anymore. And I find that they are working more and getting more done rather than staring at a blue screen waiting for me to clean up their mess. My users love no admn rights. I am not lying. They totally see how much better their stuff runs, and they know we will hook them up if they need to be hooked up. And in return they respect us and give us the time we need to do it right. It was a long tough haul, but I am darn proud of it. It is 2015. Limited user rights were first introduced in Windows close to two decades ago. I view admin rights anymore as an excuse. From: [email protected] [[email protected]] on behalf of Ken Schaefer [[email protected]] Sent: Thursday, March 26, 2015 8:47 PM To: [email protected] Subject: RE: [NTSysADM] RE: Local Administrators on computers Is only really applicable when your time is free (or is nearly free). To take it to an extreme, in a 100,000K user org, how much software do you think is in use, and gets added every day? How many desktop support people would you need to have on hand to work out these “fixes”, and re-implement them every time someone gets a new machine, or an upgraded OS, or a rebuilt machine? From: [email protected] [mailto:[email protected]] On Behalf Of Jon Harris Sent: Friday, 27 March 2015 9:36 AM To: [email protected] Subject: RE: [NTSysADM] RE: Local Administrators on computers I am with Jim on this. I have never found an excuse for a user to have local admin rights, except when I was too stupid to find the fix and I usually found one at some future date. That was under XP. Under Vista and higher I found no excuse at all. Jon From: [email protected] To: [email protected] Subject: [NTSysADM] RE: Local Administrators on computers Date: Thu, 26 Mar 2015 12:54:31 +0000 They don’t need admin rights. You just haven’t figured out how to allow them to function without it. That is what you need to do. You can elevate specific software only with add on software to elevate that shortcut for example. No one has admin rights, ever, except my department. From: [email protected] [mailto:[email protected]] On Behalf Of Freddy Grande Sent: Thursday, March 26, 2015 1:39 AM To: [email protected] Subject: [NTSysADM] Local Administrators on computers How does everyone handle users needing local administrator rights? We have some field users that require local admin, at the moment their domain accounts have local administrator rights on their computers, however, this can be dangerous if they run everything as admin. I’ve been wanting to create local admin accounts on computers that require it, set a unique password to these and deny local/interactive logon so they are only to be used for elevation. Ideally all of this should be controlled through GPO or similar method to prevent users changing passwords to something weak. I’m not finding an easy way to refer to local accounts in GPO though so I’m thinking scripting is going to be the only way to go… any thoughts or ideas? Bonus: how would you prevent a user from launching an elevated Computer Management console and adding their domain user accounts to the Administrators group? Freddy
