Laptops and local access 4

[LadySlinger]

What sort of access do you allow on your laptops?

I'm curious mainly because we recently began implementing all user access to laptops to have "Power User" access. If they need administrative privileges to install anything, then they need to be in the office where a member of IT can install the software for them.

There has recently been a small revolt by a couple of users that frequently leave the office and run into situations where they need remote support and claim that they NEED their administrative access back. I normally refer them to their managers who are already aware of the the enforced policy and tell them too bad.

Lately it seems almost a headache as a few of the laptop users are coming back almost daily with some "new" issue that would require them to have admin privileges.

What is your policy on laptops?

 

[Grenage]

Our police is no administrator rights for anyone who isn't an administrator.

I lock down the USBSTORE and CDROM services, disable the local ethernet port and restrict wireless access to only our company WAP.

So I'd say your guys have a rather easy run of things, by comparison. It's very common for users to badger you with requests for the same thing over and over again, hoping that you will eventually give in. I always say that they can have local administrator rights, but if they do then their tablets aren't coming onto the network again.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

 

[kodr]

From a user standpoint? What's more important, getting the work done that provides the income for the company, or making sure that each user only has the bare minimum access they need to usually get their daily work done?

Unfortunately, that's the mindset of most non-IT workers. It's a fine balancing act.

 

[spamly]

I've been on both sides of this issue. I used to be a Windows/LAN admin and I saw the support headaches that idiot users with privileges cause.

Admittedly it is harder, but not impossible, to get as much work done if you can't install your own custom tools when you want. I'm in this world now.

That said, almost EVERY major virus/outage that my company has had in the last 4 years has been brought in by one of these idiot users or vendors with an external device. We can't even begin to calculate the amount of time and money we've spent remedying the problems this has caused.

We now have identified select power users/developers that get extended access. We still insist on having a standard set of patching, inventorying, and antivirus tools and each device that comes into our network. While not a perfect solution, it has been accepted by all parties and we haven't had a major related outage since we implemented it.

 

[Dollie]

Laptop policy is that I install software, they don't. I can remote in through my instant messenger and install whatever software they need. If it is something they HAVE to have, dimwit then has to share their desktop and I'll make the determination if they need it or not. I have a full listing of approved software that can be installed on a system, and it's more extensive than users realize.

I also remind them that they're using company machines, not their personal machines. If they'd like to change that I would be happy to accommodate them and would they like to review the usage policy again and when do they plan on turning the laptop back in? Oh, what? No? Oh, there is understanding?

Two users want to be admins just because they think they're important. A simple change of user name to "Dimwit's Name Administrator" was all that I had to do.

(Shhhhhhh.... don't tell them.....)

 

[SQLSister]

I'm with Dollie. As long as you have someone who can remote to their laptop and install software, then I'd tell them tough luck.

"NOTHING is more important in a database than integrity." ESquared

 

[Prothios]

One way you can go about it is to say that you also need to maintain license information to ensure that the proper licenses are purchased for any software installed. If they start talking about "freeware", typically the freeware license applies only to personal use, not business use. This can be a big issue if licenses aren't in check with installations - someone's ability to do their job with unlicensed software could mean hefty fines for the company.

Depending on your organization size, some opportunties may exist for automating software installs (package deployment via a software package or through group policy). Unfortunately my knowledge in this area is limited as I've only been on the receiving end.

 

[Dollie]

With a Windows server and mobile 2000/XP users, you can set up a login script that will force the laptop to "phone home" when connected to the internet. You can then push out Windows and Office updates, as well as AV updates if you have an enterprise antivirus solution, etc.

Now, I know it can be done because my pop's old laptop that I got from him did that. I do not know how to actually do it though! That's something on the todo list for someday in the future.

 

[LadySlinger]

Hmmm...thanks for the tips and recommendations everyone.

I was searching around and found this:

http://support.microsoft.com/kb/307882/en-us

Basically how to set up GPO on the local computer. I probably will implement something like this to fine tune that authority balance.

I guess I wasn't sure if GPO could be done locally or if it had to be done through a domain.

 

[fredericofonseca]

This subject is sometimes not as easy as it seems.

Its all fine when the IT department restricts access, and THEN does install software as needed by the user on request, and on a reasonable amount of time.

I am now on a company where admin rights are restricted, and this is fine per se. Problem is that when I had a valid business reason to have SQL MSDE installed on my PC this was delayed and delayed as there was no one available to do the install.

I was forced to use a development server to do my work. Following day they installed the MSDE on my machine after I had brought down the server due to the extensive and heavy SQL's I had to do.

Had I been given admin access I could have installed the software myself (no license required on our case as we have a per processor license on the servers), and everyone would be happy.

Regards

Frederico Fonseca
SysSoft Integrated Ltd

http://www.syssoft-int.com

 

[LadySlinger]

So wait - Dollie do you allow IMs on their machines and the network?

We disabled anyone from using instant messenger on our network. I'm just curious because I'm looking for more options. I spent today just messing around with GPO.

 

[Dollie]

We're using one of the more common instant messaging programs that now has a professional version that not only allows me to remote in, we can also start webcam sessions, GoToMeeting sessions, and if I have a file that I need to install, it has great file handling capabilities. Without IM, my email would be busier, I'd be on the phone more, and I'd have four times as many post-it notes on my desk. We're not a huge company, but we've found it to be a priceless tool.

We've got pretty tight restrictions on software, but it's not anything that my mobile users notice. They use Office and the internet. Anything more isn't needed. Although the users are not computer experts or rocket scientists, I make sure they are educated enough to spot spam, phishes and potentially dangerous e-mails and websites.

Now, my software and web developers have full run of their systems, but only on their local system. (I made a big oopsie one time and gave one of them admin access to the network. He brought it to my attention.)

 

[chiph]

I used to be a Windows/LAN admin and I saw the support headaches that idiot users with privileges cause.

I work at a software company. Idiot users don't last long here.


Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[lhuegele]

We do not give admin rights. We do have a waiver process in place however. A user claiming they need admin rights on their lapop are given a form to fill out that includes business justification areas, as well as an area for their supervisor to approve. The supervisor must also agree to cover any costs related to problems this user causes on the network by having admin rights.

Once they see the form, the user usually gives up, and if they don't, their supervisor usually says "NO WAY" to the part of incurring the costs that would be associated by security breaches, virus attacks, etc. that are traced back to that users laptop.

Once the users understand the huge cost involved with all that, they stop bothering us for admin rights.

 

[wlemery]

From Dollie:Two users want to be admins just because they think they're important. A simple change of user name to "Dimwit's Name Administrator" was all that I had to do. [endit]

Calling people names such as dimwit is not going to win you any friends or cooperation, both of which you'll eventually need. Most companies won't tolerate that kind of attitude, but yours evidently does… so were I you, I wouldn't quit my day job.

 

[Dollie]

Using something such as 'dimwit', (L)user, idiot, nitwit, etc. instead of the real user's name is something that is done occasionally on public discussion boards. I'm not the first to have done so, and I probably won't be the last.

This, in no way, affects my job or the level of support that I provide to every single one of my users regardless of their level of experience. It also does not affect who I choose to have administrative rights on my network. Keeping my network safe from people who do more damage than work, and create more work for the support department than all other users combined is my #1 job. What I call these users on a public board is up to me as long as I do not use their real names.

If you'd like to come back and contribute something to the discussion about permission levels on laptops, please feel free to do so.

 

[SQLBill]

I have seen it both ways: limited access and admin access. Before someone was authorized admin access they had to sign a document that acknowledged they would be responsible for ANYTHING installed on their computer (with or without their knowledge - virus, etc). And that they would not be able to connect their laptop to the network without first having a system/security admin review the computer.

Very few people required admin access after reading the document.

-SQLBill

The following is part of my signature block and is only intended to be informational.
Posting advice: FAQ481-4875

 

[j0ckser]

I am working at a company that SEVERLY restricts access to the internet, and has a policy of dismissal if someone does their own installations. As far as I know this policy is iron-clad and even senior management and the executive are curtailed by this. There are a number of laptops in circulation the rules are no less stringent. I have sympathy for those who feel they need admin access, but that's as far as it goes.

lhuegele has great info. When people have problems with their own computers, whether they can fix them or not, they pay no attention to the time they spend repairing the problem... and consequently no concept to the time burden on the IT department when things go awry in a company.

Play no favourites. My bet is that if you allowed someone to bypass this rule, you might well be looking for work elsewhere.

per ardua ad astra

 

[bchizary]

iv experienced both sides of the coin... and the change over. Where i used to work people could do whatever they liked. It was a nightmare. We started to audit and people were doing loads of stuff on machines they shouldnt.
I tried to impliment policies... users hated me, but it was worth it, saving me a lot of time.

Its a real ball ache and you start to wonder if it worth bothering.

Iv since moved to a larger company, and here pcs are locked down big style- and it saves us a great deal of bother. It is a hassle to train users that their work pc is FOR WORK... but it is worth it for sure.