Main Nav

Hi folks…..

 

Sorry if this is a re-hash of a very old subject, but – most of our users do NOT have administrative rights on their computers.  A select few (outside of our centralized IT organization) have what are termed “Z accounts” that are separate user accounts that are issued to individuals that essentially provide them with admin rights on their local systems, but – we’ve been trying to keep these to a minimum.  However – now that we are getting more and more update notifications for Adobe, Java, etc – the end user population is demanding more and more access to their systems so that they can do their own updates.  Up until now – we have held that we (the IT organization) would assist with any updates or software installations – and do so either at the desktop, or remotely through our Service Desk.  We do a lot of remote support via RDP and/or PCAnywhere and/or Altiris Deployment Solution.

 

We’re keenly aware of the potential risks that this presents, but – we’re being told that we have to pursue this direction – in some manner.  From a support perspective, the prevailing belief system is that when we relinquish admin rights to the end users, the field tech workload will swing from “installing updates and software” to “repairing and re-imaging systems”…….but, if that’s the direction we’re told to go, we’ll do so without argument…..(personally – I’m not opposed to it at all…..it’s more the “support policy” that concerns me…..;-)

 

But, the bottom line is – we have to allow users (either in general, or in a controlled group?), to install their own software – install their own patches (ie, Adobe, Java, etc.). 

 

My question is:  How do other colleges manage this?  Do you give user’s admin rights as a matter of course?.....or do you have a means of controlling this?  Do you continue to lock down the desktop such that most/all users do not have admin rights?.....or do you allow them to configure their own systems themselves, at their own risk?

 

Without sounding too callous, I *came* from an environment where users *did* have admin rights on their own systems – and for the most part, life was uneventful *except* for the instances where a user would get themselves so twisted up that when they did call for tech support – we basically told them that the 90% solution was to simply re-image their system for them.  Data backups were their responsibility – we’d re-image the OS and baseline software – install whatever additional software they could produce proof of licensing for – and re-pointed them to their network data stores……and that was about it.  Again – it worked fairly well in a “Fed sector” environment, but I’m not sure how well it would fly in a higher ed environment….??

 

Sorry this is so long-winded, but – curious to hear how everyone else handles this kind of situation…..

 

Thanks,

 

Michael


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Comments

Message from mail@jeffmoore.com

We actually allow a good percentage of our users to be admins on their boxes. Like you said it keeps things pretty uneventful. If you are working toward keeping things a bit tighter products like Case and VMWare Go may be worth looking at. We have a sister organization that uses the VMWare Go solution for updates etc and it seems to work well and is still being rapidly improved. We considered Case at one point and were very impressed with it. Unfortunately we just couldnt afford it in the long run.

I'm sure we will revisit this at some point so I an also very interested in solutions other folks have.

Thanks!

Jeff Moore
CCC/IT

On Aug 31, 2012 1:20 PM, "SCHALIP, MICHAEL" <mschalip@cnm.edu> wrote:

Hi folks…..

 

Sorry if this is a re-hash of a very old subject, but – most of our users do NOT have administrative rights on their computers.  A select few (outside of our centralized IT organization) have what are termed “Z accounts” that are separate user accounts that are issued to individuals that essentially provide them with admin rights on their local systems, but – we’ve been trying to keep these to a minimum.  However – now that we are getting more and more update notifications for Adobe, Java, etc – the end user population is demanding more and more access to their systems so that they can do their own updates.  Up until now – we have held that we (the IT organization) would assist with any updates or software installations – and do so either at the desktop, or remotely through our Service Desk.  We do a lot of remote support via RDP and/or PCAnywhere and/or Altiris Deployment Solution.

 

We’re keenly aware of the potential risks that this presents, but – we’re being told that we have to pursue this direction – in some manner.  From a support perspective, the prevailing belief system is that when we relinquish admin rights to the end users, the field tech workload will swing from “installing updates and software” to “repairing and re-imaging systems”…….but, if that’s the direction we’re told to go, we’ll do so without argument…..(personally – I’m not opposed to it at all…..it’s more the “support policy” that concerns me…..;-)

 

But, the bottom line is – we have to allow users (either in general, or in a controlled group?), to install their own software – install their own patches (ie, Adobe, Java, etc.). 

 

My question is:  How do other colleges manage this?  Do you give user’s admin rights as a matter of course?.....or do you have a means of controlling this?  Do you continue to lock down the desktop such that most/all users do not have admin rights?.....or do you allow them to configure their own systems themselves, at their own risk?

 

Without sounding too callous, I *came* from an environment where users *did* have admin rights on their own systems – and for the most part, life was uneventful *except* for the instances where a user would get themselves so twisted up that when they did call for tech support – we basically told them that the 90% solution was to simply re-image their system for them.  Data backups were their responsibility – we’d re-image the OS and baseline software – install whatever additional software they could produce proof of licensing for – and re-pointed them to their network data stores……and that was about it.  Again – it worked fairly well in a “Fed sector” environment, but I’m not sure how well it would fly in a higher ed environment….??

 

Sorry this is so long-winded, but – curious to hear how everyone else handles this kind of situation…..

 

Thanks,

 

Michael


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

We’ve had issues with users installing software that the college doesn’t own and installing Apple updates that brick the computer (PGP). For years, our Windows users have not been granted admin rights (except in extreme cases). Our Mac users have used local accounts and were admins due to a lack of management tools up until recently. Last year we began moving our Mac users to a managed environment (Profile manager and AD). Many of the faculty that were affected by this are not happy and are currently battling this new change. And for some background, it was one of the Mac users who is battling this that had the unlicensed software.

 

Our CTO and president at the time felt it was less time consuming to install software when they needed it than constantly rebuild and re-encrypt computers after they’ve been bricked.

 

Tim

 

 

Tim Cappalli, ACMP CCNA | (802) 626-6456

Office of Information Technology (OIT) | Lyndon

» cappalli@lyndonstate.edu | oit.lyndonstate.edu

 

 

Sent from Windows 8 and Outlook 2013

 

We allow some users to get a local administrator account, but it is strictly a local account with no rights to any network shares.  The idea is that they normally work in an unprivileged account (so they can access network data etc.), and when they want to install software, the UAC prompt appears for them to enter the local user / password.  So our users do what I do – normal use on unprivileged account, and when I know I want to do privileged stuff, use UAC and enter an admin account / password.  I think we could minimize even this access if we could get a handle on Java / Adobe updates (prevent users from getting prompts to update and push out those updates automatically).

 

We also limit admin privileges to just a select few with those few being local computer admins, which is separate from their standard domain account.  We have several group policies that turn off the autoupdate and/or update notification bubble.  We then push the java, flash etc. updates via group policy during our normal Windows patching timeframe.

 

As for our Macs on campus.  That’s why we have student workers  J

 

If something needs to be installed quickly, we or an approved student worker will remote to their desktop using Microsoft Remote Assistant and help them out.

 

Geo.

George K R I S S
Director, Information Technology
(618) 537-6445

701 College Road   |  Lebanon   Illinois   |   62254

 

 

 

Message from adamschumacher@creighton.edu

Re: [SECURITY] Granting all users (or "a select few"??) administrative rights on their own computer systems?? We are actually moving away from letting users have admin access on their computers.  It has been a very painful process both politically and technically.  BUT, consider the following:

  1. We have the tools to remotely deploy updates to applications as they are released (Landesk in our case, others have similar tools like Altirus).  This allows IT to test patches against the systems that users use (Banner, Blackboard, email, etc) before releasing them.  Java is one that is often very picky about version compatibility.
  2. Speaking of testing, how does one do any kind of worthwhile test when there is no standardization in the environment?  If users can make any modifications they want to the system at their whim, you can’t be sure whatever new software you want to deploy or upgrade /patch is going to work with configurations you don’t even know about.  This is tough.  You may have 5 or 10 (more?) different standards you have to maintain given that different areas have different needs.  The benefit though, is that you have a much higher confidence when you’ve tested against those 10 different standards that things will work.
  3. Others have already mentioned this but when you let users “manage” their machines, your support focus changes from preventative maintenance and known, planned changes (as you install and update software) to fixing broken and infected machines and fighting “fires”.  Personally, I’d rather be able to be proactive and avoid the uncontrolled downtime from unplanned issues.  
  4. Everyone here I’m sure is aware of the “principle of least privilege”.  What does a user need to do his or her job?  Of course, that answer may vary based on how your IT infrastructure is implemented, but I’m willing to bet “installing and patching software” is not in many of your (non-IT) staff members’ job descriptions... :)

sha1(

Adam Schumacher [MS] [MBA]
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!

402-280-2383
402-672-1732

)

= d6f7869d563ef99ad47a5ae03e94c76ead328935




Sounds like you are in a highly managed environment and the issue is response time to install software.   In places that have that culture, I’ve heard “we were happy technology X allowed us to improve to a two week install time” and places with admin rights on desktop “How do you survive politically!#@?”

 

Many of the application whitelist vendors try to have a happy medium that let’s a central helpdesk get notice of software installs.  If they permit it, they can choose to permit it everywhere (such as some obscure line of business application) or just this one install.  End user gets responsiveness and theoretically you gain a two party control on all software installs.   One way we’ve handled it is managed desktops cost a certain rate per system.  If you have admin rights, we charge you more on the theory you’ll have more edge cases to support.

 

I’ve only played enough in Whitelisting to suggest you really need something more than AppLocker in Windows 7 to pull it off in a home run fashion.

 

 

Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.