I still could not tell you how many. I know the IT support staff is not large, I believe it is 3 or 4 people depending on how you list support staff, and we support people from California to Florida. I THINK we have presence in 4 states, but since my employment here I deal with only a very few people and I don't get involved in support on a regular basis. I can tell you the support staff does all installs of software here and it is a multi-tiered processes to install starting with the user requesting and management approving. IT controls all licensing and does checks to verify all licensing. Even IT staffers have to have approval for addition of any software from management. I can also tell you that as I have seen on this list testing before, during, and after software is approved for use within the company it is tightly managed and all patches go through several loops of testing. I was originally surprised at how tight things were done and how well it works. I don't know your bank and from your statement it appears to be much larger than the one I work for but you can run with routine denial of admin rights within the banking industry. I would think that any bank within the US would be risking a SOC's violation if this was not the case. I have personally managed a very small research facility, 50 person group, and saw personally the reason for denial of local admin rights. Once those rights were removed issues and blue screens dropped to almost non-existent. Garbage being installed without regard to licensing stopped as well. Issues that took the longest to fix were normally due to software wanting/needing to write to the Program Files folder in XP and Vista. Usually it was poorly designed software that was written for Windows 98 and in at least one case (for me at least) DOS. Jon From: [email protected] To: [email protected] Subject: RE: [NTSysADM] RE: Local Administrators on computers Date: Fri, 27 Mar 2015 05:41:07 +0000
My apologies – it seems that you have several companies all managed by a central holding company. Google Finance puts your employee numbers at 785: http://www.google.com/finance?cid=666910 From: [email protected] [mailto:[email protected]] On Behalf Of Jon Harris Sent: Friday, 27 March 2015 3:43 PM To: [email protected] Subject: RE: [NTSysADM] RE: Local Administrators on computers I am in IT at this job but not in support, lucky me. I believe we have more than that employed but really have no idea. Jon From: [email protected] To: [email protected] Subject: RE: [NTSysADM] RE: Local Administrators on computers Date: Fri, 27 Mar 2015 03:06:03 +0000 You work for CSBNA? Internet suggests you have ~200 employees? I don’t know if that’s correct or not. Maybe you could confirm? Certainly in areas like Contact Centre and Retail branches, pretty much everything’s deployed via SCCM or Tivoli or whatever. However that really doesn’t work for many group functions. Between in-house and partners, we have around 6000 people working in “IT” (broadly defined) alone, working on, developing for or supporting just about every platform under the sun. Certainly there are many patching/deployment products. Do you know how expensive it is to package every single application and sociability test? Or how expensive it is to run a product for Windows, Linux, AIX, Alpha, Solaris, Non-Stop, Z/Os, HPUX etc. etc.? Certainly I agree that what you propose can be done technically. However technical issues are, in my experience, very rarely the main problem in larger environments. From: [email protected] [mailto:[email protected]] On Behalf Of Jon Harris Sent: Friday, 27 March 2015 1:40 PM To: [email protected] Subject: RE: [NTSysADM] RE: Local Administrators on computers I work in the banking environment and IT does all installs. We don't let users install anything. Software licensing is too dangerous to trust the user to know if there is a license or not and if it is valid for us. Now a days there are a lot of products out to allow control of patching, deployment, and upgrades. There is no reason for users to have admin rights. Jon From: [email protected] To: [email protected] Subject: RE: [NTSysADM] RE: Local Administrators on computers Date: Fri, 27 Mar 2015 01:18:53 +0000 You have 7000 staff in your org? Or 7000 staff and students? I can’t see how your model would work in Accenture, or HP, or any big bank, or any large software house – the range of activities undertaken by staff are far too diverse, and the range of software also far too diverse. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Friday, 27 March 2015 11:59 AM To: [email protected] Subject: RE: [NTSysADM] RE: Local Administrators on computers My org is 7000. I found that when I fix an issue for one user it applies to 500. When they want a software item a boatload of them want it, they each don't want a different item. So it does scale to large orgs. I also find I have more time to find these fixes, and help them find new solutions because I am not cleaning up their mess anymore. And I find that they are working more and getting more done rather than staring at a blue screen waiting for me to clean up their mess. My users love no admn rights. I am not lying. They totally see how much better their stuff runs, and they know we will hook them up if they need to be hooked up. And in return they respect us and give us the time we need to do it right. It was a long tough haul, but I am darn proud of it. It is 2015. Limited user rights were first introduced in Windows close to two decades ago. I view admin rights anymore as an excuse. From: [email protected] [[email protected]] on behalf of Ken Schaefer [[email protected]] Sent: Thursday, March 26, 2015 8:47 PM To: [email protected] Subject: RE: [NTSysADM] RE: Local Administrators on computers Is only really applicable when your time is free (or is nearly free). To take it to an extreme, in a 100,000K user org, how much software do you think is in use, and gets added every day? How many desktop support people would you need to have on hand to work out these “fixes”, and re-implement them every time someone gets a new machine, or an upgraded OS, or a rebuilt machine? From: [email protected] [mailto:[email protected]] On Behalf Of Jon Harris Sent: Friday, 27 March 2015 9:36 AM To: [email protected] Subject: RE: [NTSysADM] RE: Local Administrators on computers I am with Jim on this. I have never found an excuse for a user to have local admin rights, except when I was too stupid to find the fix and I usually found one at some future date. That was under XP. Under Vista and higher I found no excuse at all. Jon From: [email protected] To: [email protected] Subject: [NTSysADM] RE: Local Administrators on computers Date: Thu, 26 Mar 2015 12:54:31 +0000 They don’t need admin rights. You just haven’t figured out how to allow them to function without it. That is what you need to do. You can elevate specific software only with add on software to elevate that shortcut for example. No one has admin rights, ever, except my department. From: [email protected] [mailto:[email protected]] On Behalf Of Freddy Grande Sent: Thursday, March 26, 2015 1:39 AM To: [email protected] Subject: [NTSysADM] Local Administrators on computers How does everyone handle users needing local administrator rights? We have some field users that require local admin, at the moment their domain accounts have local administrator rights on their computers, however, this can be dangerous if they run everything as admin. I’ve been wanting to create local admin accounts on computers that require it, set a unique password to these and deny local/interactive logon so they are only to be used for elevation. Ideally all of this should be controlled through GPO or similar method to prevent users changing passwords to something weak. I’m not finding an easy way to refer to local accounts in GPO though so I’m thinking scripting is going to be the only way to go… any thoughts or ideas? Bonus: how would you prevent a user from launching an elevated Computer Management console and adding their domain user accounts to the Administrators group? Freddy
