Administrators

[megadan2000]

Hi Guys,

I have a bit of a dilema on my hands. I work as an IT Manager in a School. I have a user who keeps on pesting me that he needs admin rights. I have given him local admin rights but this is still not sufficent for him. I am getting really annoyed now as this bugs me. He wanted domain admin rights which I put my foot down on straight away and said NO. Then I gave him local power user rights but still he was not happy. Then I gave him Local admin rights which I don't even want to give him but I can't come up with a reason why I shouldn't. So in those books of excuses out there have you got any good ones?

Cheers

Megadan

 

[porkchopexpress]

ICT Co-Coordinator by any chance?

I would ask them to explain why they need admin rights and if they have a very good reason then i would concider a local admin account (not for general use for installing only). As for domain admin rights ABOLUTLY not under any circumstances.

 

[porkchopexpress]

As an example i used to manage an NT4 network a few years ago for a high school, a teacher (with domain admin rights) installed a printer and made it the default. As Office at this time was installed on the server all the stations on the network started looking for a printer that didn't exist anywhere except the teachers PC.

I know this particular problem is unlikely to happen these days but it's an example of what can happen when people misuse domain admin accounts. That doesn't even start to cover the dangers of viruses and worms.

 

[megadan2000]

I have only given him Local admin rights but I think that he's abusing those also. The teachers don't need to install anything on their computers as everything they need is already on their machines. Grrrr!!

 

[porkchopexpress]

Gather some evidence about how you think they are abusing the rights and then build a case to remove them, i assume you have an acceptable use policy that covers use of the system. If they are installing unlicensed software then you could get them there, if they are installing any random cr@p from the net then bring up the dangers of spy ware, ad ware and viruses.

Users really shouldn't require this level of access and even if they are above you in the chain of command you can argue with common sense. They will have to back down eventually as they won't have a good enough reason and will just look silly if they continue to challenge you. As this is a school they don't own the equipment so have no real right to overrule an acceptable use policy.

 

[jkupski]

When faced with this situation, your only real response is to get political. Force the user to justify his request to both his manager and your own.

Generally speaking, once you do this, the issue dies immediately--it's almost certain that the user wants the rights for non-business reasons at best. His request for domain admin rights (wtf? Danger, Will Robinson!) would lead me to believe he has something at least unethical, and most likely downright malicious planned--that being the case, he probably has no desire to get any management involved who may ask questions.

However, if he does go up the food chain, preempt by presenting your case to your management first ("Mr. Smith in room 302 wants administrative access to his PC--all the software he needs is already installed, and we told him we'll be happy to install anything else he needs that's outside the scope of our standard image, but he's being insistent. He's even asked for administrative access to our entire network, and has threatened to go to the superintendant if he doesn't get his way. I shouldn't have to tell you how worrying this is.")

 

[justin42279]

I must be lucky because i've managed networks for 8 years now and have never ran into this type of case.

Maybe its because i handle these types of situations like this..

somebody "i need <insert rights here>.

me "why? what are you trying to accomplish"

Its important to have a backbone in this job. If security is of any importance, you'll want to limit the amount of accounts that have admin privilages, especially on the network. Unless he is responsible for taking care of any network maintenance, then his request should be denied flatly. If he goes to a higher up, when that person comes to you, simply say, "because it serves no purpose".

You should never do something that will make you feel uncomfortable because when something happens, everyone will come back to you and say "why didn't you prevent that" or "why did he have admin rights on his local machine"

Hope this helps

Justin

 

[porkchopexpress]

Absolutely i've used the "I can't possibly perform my role under those conditions" line before. This is true as how can you be charged with securing and running a reliable network when any old charley is running around with admin rights. They might even have the damn password written on a postit note stuck to their monitor.

 

[megadan2000]

I thank you all for your valid input. My approach is normally:-

User - I need this piece of software installed.

Me - Have you got a licence and can I see it? Is it licenced to use on a network? If you these are in tact then I will proceed when I get a minute.

I am thinking of just re RISing his machine and getting rid of his rights and if he argues the case my case will be if the other 90 staff can use a pc without this software what makes you different!

 

[justin42279]

Actually, unless the software is actually used by the school, it doesn't belong on the system. Most licenses are for only one machine and if he actually brings this software from home, then most likely, installing it on your systems violates that license. Not only that, you have no idea what might happen. Sure, you might think it seems safe and its no big deal, but then one day your spending 5 hours troubleshooting a computer.

If he needs that software bad enough, he should petition his higher ups to have the school purchase the software.
If the school refuses, then he's screwed. Again, you don't want someone coming back to you asking,

"why are be being sued for not having appropriate licensing on his machine"

Justin

 

[megadan2000]

Thanks Justin,

I think that will be my approach to him. Unless the software is licenced by the school then I am not willing to install it on any machine within the domain.

Well thanks everyone again and I will give it a shot and keep you posted on any updates.

Thanks again

megadan

 

[kelfuego]

I have been a network admin for 8 years now and I have to say that both justin and jkupski's suggestions are very good.

I generally don't worry too much about the local system's admin rights as I impress upon the user's supervisor via their budget that it is not in their best interest for a user to have so much room to cause trouble.

IE I take a really,really,really long time to reinstall the OS and accepted software on the system causing the user's inproprieties to show up on their boss's budget report. When it starts costing people money for staff stupidity, they start to take control of their staff people.

Kelly Johnson MCP
Central City Concern

 

[megadan2000]

Ok,

from the horses mouth. He's trying to install a program that the school has brought. The program is not compatible with roaming profiles therefore it won't work as he's got a roaming profile. He wants access to regedit and I said no as regedit is disabled in Group Policy. Now he's asking for a local profile but i'm not prepared to do that either. If this just carrys on I'm just going to see my boss which is his boss and tell her that he doesn't need any admin rights and take everything away.

 

[porkchopexpress]

You could go as far as setting local policy to prevent his roaming profile downloading on just his station.

What software is it?

 

[megadan2000]

It's called Groove

 

[porkchopexpress]

Bit OTT for a school isn't it surely they are in the same location most of the time.

http://www.groove.net/home/index.cfm

 

[jkupski]

Now he's asking for a local profile but i'm not prepared to do that either

Any reason why not? Contrary to your initial posting, the user's actual request appears to be reasonable--he has software the school bought for his use that does not work with your current configuration. Moving from a roaming profile to a local one is a no brainer, I think--just impress upon both the user and their management the downsides of this (i.e. his data will no longer follow him to other PCs, will no longer be subject to the centralized backup policy, etc.)

I believe you are digging your heels in on this one because of your past negative history with this user. Take a step back and evaluate this situation again. If you still come to the same conclusions (and you may--it's not possible to understand your issue completely via message board postings, after all, and there may be a few gotchas here that we don't see) be prepared to justify them.

 

[justin42279]

I have to agree with jkupski. Unless he makes a habit of moving from one machine to the other, theres no need for a roaming profile.

 

[porkchopexpress]

Or preventing his raoming profile from downloading to that one station.

Computer Config - Admin Templates - System - Only allow local user profiles

 

[tfg13]

megadan2000,
Just so you know, I've worked with Groove for about 4 years now. It does work with roaming profiles. As most of the comments that have been posted, this user will most likely only be using one computer anyway. By the way, the Groove administrator should know about this as well, as there are settings that allow multiple computers to be used with the same Groove account. Do you know if Groove is managed locally, or centrally by Groove itself? In either case, I think the user should contact the Groove POC (there should be only one at the school) and ask for this to be modified.