For those occasions when you can't quickly identify how to get around the "admin rights" issue, I find CPAU from JoeWare (http://www.joeware.net/freetools/tools/cpau/index.htm) very handy. There are probably security issues related to its use that someone could come up with, but for a stopgap measure that falls short of the hated "let them have admin rights" capitulation, giving you time to solve the issue properly when the world isn't falling apart, it does the job very nicely.
2009/9/2 Sean Rector <[email protected]>: > We've got a vendor who believes this garbage - so we're dropping them (a > major component of our business) and going with another vendor, after 6 years > of annual maintenance at 18k/year. Buh bye! > > Sean Rector, MCSE > ________________________________________ > From: James Rankin [[email protected]] > Sent: Wednesday, September 02, 2009 4:29 AM > To: NT System Admin Issues > Subject: Re: Local admins (was RE: MSINFO popping up) > > Damn right. Knocking admin rights on the head was the first thing I > did arriving at this gig. We no longer have problems with corrupted > profiles, and our virus incidents have dropped dramatically. Using > mandatory profiles and harnessing the full power of Group Policy > Objects has also helped. Despite resistance from a small subset of > determined trouble-stirrers (e.g. "I can't change my mouse pointers > and screen saver! I can't do my job properly without auto-hiding my > taskbar!"), this appears to now be accepted as the way things are, and > the way they shall be. Even the rest of the IT department are now > happily using limited accounts for desktops and admin accounts for > server work. > > I still laugh when I get third-party support telling me that users > need to run with administrative rights though. I can't believe how > many of them (particularly in the smaller business arena) still think > this is acceptable. And I enjoy especially hearing them tell me "you > can't do this without running as an admin", and then twenty minutes of > some angry Process Monitor-ing later, I can show them exactly how it > can be done without admin rights. > > 2009/9/1 Ben Scott <[email protected]>: >> I'll chime in and agree that removing admin rights from regular >> accounts is one of the best things you can do. The rest of the >> computer world has been doing it for 50 years or so; it's high time >> the Windows world joined in, too. >> >> We started doing this when we started migrating from Win9X to >> 2000/XP. Best thing we ever did. The amount of trouble due to stupid >> things has dropped dramatically. Users can't screw up their own >> computers any more. We don't have "mystery software" -- no "so-and-so >> used to work here and had this program and now we need it but don't >> know where it is". No pollution of user PCs with crap from home or >> the Internet. The virus/malware problem is hugely mitigated by this >> alone. >> >> It's been some work, and it's often still a lot of work when we get >> a new application in. Fortunately, when someone thinks to ask IT >> before the sale, I can tell the vendor "fix your LUA bugs or we walk". >> Even for a small company like this, that gets results. >> >> Someone mentioned "he's a senior admin and I can't really justify >> not letting him have admin rights". I can't speak for the politics in >> a particular company, but where I work, nobody has admin rights for >> their regular account. Nobody. Not the owner, not the president, not >> me. I'm the IT Manager and half the IT department, and my regular >> user account has less access than a lot of other people. I know the >> passwords to the admin accounts, of course, but my regular account is >> a regular account. >> >> I strongly believe this should be the first tech improvement >> priority in any IT organization that isn't already there. >> >> -- Ben >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put > into the machine wrong figures, will the right answers come out?' I am > not able rightly to apprehend the kind of confusion of ideas that > could provoke such a question." > > http://raythestray.blogspot.com > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > Virginia Opera's 35th Anniversary Season The One You Love > Celebrate with a 2009-2010 Subscription: La Boh?me, The Daughter of the > Regiment, Don Giovanni and Porgy and BessSM > Visit us online at www.vaopera.org or call 1-866-OPERA-VA > > The vision of Virginia Opera is to enrich lives through the powerful > integration of music, voice and human drama > > This e-mail and any attached files are confidential and intended solely for > the intended recipient(s). Unless otherwise specified, persons unnamed as > recipients may not read, distribute, copy or alter this e-mail. Any views or > opinions expressed in this e-mail belong to the author and may not > necessarily represent those of Virginia Opera. Although precautions have been > taken to ensure no viruses are present, Virginia Opera cannot accept > responsibility for any loss or damage that may arise from the use of this > e-mail or attachments. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." http://raythestray.blogspot.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
