One way to get around the dev issue is to have a dedicated development environment (e.g. hosted in VMs). They can have their own AD, and do whatever stuff they need with elevated rights in there. But their regular PC, for doing their regular work (e.g. writing documentation and writing emails and whatever) they use a regular account with. And that helps the developers understand the types of restrictions that regular users have to work under as well.
Cheers Ken -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Wednesday, 2 September 2009 6:17 AM To: NT System Admin Issues Subject: Re: Local admins (was RE: MSINFO popping up) Thoroughly agree, and I'm finally convincing management to let us make this happen - though our software engineers are not yet aware of it. They'll probably end up on a firewalled subnet of their own, though, and can do what they want with it, as I'll wash my hands of that. But, I'm down to two guys, and we've got a lot of work ahead of us to make this happen. Kurt On Tue, Sep 1, 2009 at 15:00, Ben Scott<[email protected]> wrote: >���I'll chime in and agree that removing admin rights from regular > accounts is one of the best things you can do.���The rest of the > computer world has been doing it for 50 years or so; it's high time > the Windows world joined in, too. > > ��We started doing this when we started migrating from Win9X to > 2000/XP�� Best thing we ever did.���The amount of trouble due to stupid > things has dropped dramatically.���Users can't screw up their own > computers any more.���We don't have "mystery software" -- no "so-and-so > used to work here and had this program and now we need it but don't > know where it is".���No pollution of user PCs with crap from home or > the Internet. ��The virus/malware problem is hugely mitigated by this > alone. > >���It's been some work, and it's often still a lot of work when we get a > new application in.���Fortunately, when someone thinks to ask IT before > the sale, I can tell the vendor "fix your LUA bugs or we walk". >���Even for a small company like this, that gets results. > >���Someone mentioned "he's a senior admin and I can't really justify not > letting him have admin rights".���I can't speak for the politics in a > particular company, but where I work, nobody has admin rights for > their regular account.���Nobody�� Not the owner, not the president, not > me�� I'm the IT Manager and half the IT department, and my regular > user account has less access than a lot of other people.���I know the > passwords to the admin accounts, of course, but my regular account is > a regular account. > > ��I strongly believe this should be the first tech improvement priority > in any IT organization that isn't already there. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
