Defining Access Rights on Groups (Restricting Developers!)

[Stevehewitt]

Hi all,

Been at a company for about two months, and i'm starting to make my mark. It's a web (.net) development company with about 30 people - 10 are developers or are in the development dept. I'm the first dedicated 'network admin' they've employeed so things are in a bit of a mess.

First of all, every developer has full ADMINISTRATOR access to his / her local machine. This causes me a hell of a lot of concern. Primarially due to if I slap on a group policy they don't like; it's quite easy to stop ME from doing it.
(E.G. Removing Local System access rights to the relevant part of the registry where policies are applied).
I have mentioned this to my manager and he said that developers have to have administrator access.
I want to prove him wrong!

The problem is, I'm unfamiliar with what the differences are between administrator and power user. In addition, how can I create the granuality of a new user group.
E.G Are the differences between the admin and power user groups really just local policies?

So what i'm after is:

1. Comparision table of the differences between admin and power users (if someone could point me to the right URL or something it would be great thanks)

2. Is is really just group policies and NTFS permissions that define the differences between the two group? (E.G. I can do it myself?)

3. Could someone point me towards a good tutorial or step-by-step guide on doing this?

Thanks guys - any help appreciated.

Cheers,



Steve.

"They have the internet on computers now!" - Homer Simpson

 

[MoobyCow]

Unfortunatly I kind of agree with your manager. Devlopers often actually need to install and uninstall a lot of different tools/addins and add their own code to the registry.

It's possible for them to work as less than full administrators, but probably pretty damn annoying for them to do so.

 

[Stevehewitt]

True - but in my opnion an annoyance day-to-day is better than the annoyance of being without a PC for day if a mistake is made.

Group Policies, Quota Limits, Exchange Access - all screwed up if everyone has administrator access. (Well, not true - but it's what Windows was designed for!

You wouldn't give root to your linux users if you had it on the desktop would you?!

I know what some of them can be like - and how on earth am I to be expected to implement decent Windows based security when they have as much access as me on the box! They should not be able to override group policy settings - something which in my opinion isn't negotiable.

Any solution appreciated.

Cheers,



Steve.

"They have the internet on computers now!" - Homer Simpson

 

[MoobyCow]

Quotas and Exchange should be unaffected by their local machine rights. You can pretty well lock down the rest of your domain, just not their local machine.

You best bet is to just let them be power users, but they won't be able to add services (or stop services that start by default) both of which could be a pretty big deal depending upon what you are developing.

Another option is to keep their machine seperate from your main domain. If they need to have complete control of their machines it could be on a machine that does not have complete access to the rest of your enviornmment.

And ... No, I wouldn't allow root access on a Linux machine, but on a Linux machine they wouldn't need root access to do development.

 

[Stevehewitt]

I'm still reluctant to give power user access. Power Users are a sub-set of the administrators group; rather than a superset of the users group.
I personally could elevate prvillages to admin from power user without authorised access on a WinXP Pro machine - not particually hard.

My argument is that developers should not need admin/root access to a machine - so i'm after details on creating a new group with granular permissions.

Any ideas how this is achived? Just by group policies?

 

[MoobyCow]

It would have to be by group policy.