Damn right. Knocking admin rights on the head was the first thing I did arriving at this gig. We no longer have problems with corrupted profiles, and our virus incidents have dropped dramatically. Using mandatory profiles and harnessing the full power of Group Policy Objects has also helped. Despite resistance from a small subset of determined trouble-stirrers (e.g. "I can't change my mouse pointers and screen saver! I can't do my job properly without auto-hiding my taskbar!"), this appears to now be accepted as the way things are, and the way they shall be. Even the rest of the IT department are now happily using limited accounts for desktops and admin accounts for server work.
I still laugh when I get third-party support telling me that users need to run with administrative rights though. I can't believe how many of them (particularly in the smaller business arena) still think this is acceptable. And I enjoy especially hearing them tell me "you can't do this without running as an admin", and then twenty minutes of some angry Process Monitor-ing later, I can show them exactly how it can be done without admin rights. 2009/9/1 Ben Scott <[email protected]>: > I'll chime in and agree that removing admin rights from regular > accounts is one of the best things you can do. The rest of the > computer world has been doing it for 50 years or so; it's high time > the Windows world joined in, too. > > We started doing this when we started migrating from Win9X to > 2000/XP. Best thing we ever did. The amount of trouble due to stupid > things has dropped dramatically. Users can't screw up their own > computers any more. We don't have "mystery software" -- no "so-and-so > used to work here and had this program and now we need it but don't > know where it is". No pollution of user PCs with crap from home or > the Internet. The virus/malware problem is hugely mitigated by this > alone. > > It's been some work, and it's often still a lot of work when we get > a new application in. Fortunately, when someone thinks to ask IT > before the sale, I can tell the vendor "fix your LUA bugs or we walk". > Even for a small company like this, that gets results. > > Someone mentioned "he's a senior admin and I can't really justify > not letting him have admin rights". I can't speak for the politics in > a particular company, but where I work, nobody has admin rights for > their regular account. Nobody. Not the owner, not the president, not > me. I'm the IT Manager and half the IT department, and my regular > user account has less access than a lot of other people. I know the > passwords to the admin accounts, of course, but my regular account is > a regular account. > > I strongly believe this should be the first tech improvement > priority in any IT organization that isn't already there. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." http://raythestray.blogspot.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
