3

I am in charge of a Windows-based network of over 70 computers at work. Servers are Windows Server 2008 and workstations are Windows Vista and Windows XP.

Most users are researchers, and some of them have very specific needs about constantly installing new little apps that they obtain from the web and experimenting with them. They have asked us (the IT department) to grant them local admin rights to their machines, but I am not sure whether that would be a good idea.

Pros: users would be able to install apps as they wish and experiment freely, making their jobs easier; IT people would be less pressured to assist them every time they need to install a new app.

Cons: users would be installing who knows what, without any control whatsoever, and possibly introducing incompatible software or even malware into the network.

I have thought of granting them local admin permissions but placing their computers in an isolated network. However, we would still need to solve their connection to the domain server and the file and database servers.

Any ideas on how to solve this issue? Thanks.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
CesarGon
  • 440
  • 3
  • 14
  • 27

7 Answers7

5

For this type of situation I would go one of two ways:

  1. For those that do alot of tinkering with different programs, install VMWare workstation and have a repository of base VMs they can pull off the network and start up as needed.

  2. This second one is a little more expensive, but I would go with something like VMWare ESX + Virtual Center* so that you can create base templates they can deploy. Giving them a nice little sandbox to play in with full admin rights. Allowing them to create and destroy vms as needed. This would only really be reasonable if all 70 people needed to play with different things all the time. This would also let them snapshot machines before they install something or tweak a setting so they can quickly roll back, also it would allow you to give them access to a bigger variety of OSes, without having to mess around with thier day to day machine.

*or any comparable virtulization technology you know/can afford - Xen, Hyper-V, KVM, etc.

Zypher
  • 37,405
  • 5
  • 53
  • 95
5

I worked at a research organization with about 120 people. Only about 30 could do their work with a locked down machine, the other 90 were researchers or technologists who had to use obscure software and many of them had to work in remote locations where the only help we could give them was over the phone (i.e. no Remote Desktop to their laptop to make something work).

While it's true that "Most decent modern software no longer requires admin rights," we had to deal with a lot of not-quite-decent apps that needed admin to install and run. Some of it was software written in-house or by other researchers and grad students that was needed because of its scientific accuracy, not the quality of the software or its adherence to best practices.

Some of it was software used for data acquisition and process control that was intended to run on a dedicated machine in an industrial setting. In that setting, even if someone gets out of the control app, they have to immediately start it up again because some big, dangerous piece of equipment is dependent on it. But when those apps were used in our environment, they weren't the only thing running on that PC.

We also had a corporate culture where anything the scientists needed to do was ok and IT had to make it work. Back when it was Win3.1, 95, 98 it didn't natter, but as soon as we got into NT4 Workstation, we had to start dealing with Admin or not.

We (barely) dealt with the situation using a variety of workarounds, combined differently for each situation:

  • For the industrial control apps used in our labs, RunAs usually worked. The senior techs would have the pw for an account with local admin rights and they'd be the ones that started up the apps for the other technologists.

  • For some scientists, we gave them local accounts on their PCs that had admin access. If they needed to install something, they could log out from the network, log in locally and install, then log out again and back in to the network. Or they'd use RunAs. None of them liked doing this, but almost every one of them had killed a computer to the point that it needed re-staging, so they put up with it.

  • None of these obscure programs could be installed with Group Policy, but we spent a lot of time building up ghost images and making sure data was backed up so that it wouldn't take much time to wipe and reinstall a machine that was having problems.

  • In some cases, we put the machines with problematic software on a restricted VLAN, but as mentioned, the problem with that is that they often needed to access the main corporate network even when they're running as admin

  • For one department, we gave everyone 2 machines for a while - one locked down, one with admin access. That lasted a year until they all got fed up with not having all their tools on their "main" office PC.

  • For some of the scientists who only needed admin access once in a while, we'd set up accounts that had admin rights but with crazy long passwords. When they needed access, we'd tell them the password knowing that they'd never remember or even bother writing it down.

  • We were starting to look at VMs when I left - give them VMWare Workstation or Player and a couple different VMs that they had admin access to. This is what I'd focus on if I were ever in a similar situation again.

Ward - Trying Codidact
  • 12,899
  • 28
  • 46
  • 59
2

Two points

  1. Most decent modern software no longer requires admin rights to install (nor should it). I work on a system where I don't have admin rights, and I've installed, among other things, Firefox, Thunderbird, OpenOffice.org without problems. So try to find out if people really need admin rights.
  2. Even if they do, consider giving them an account w/o admin rights and providing a password to escalate (using Run As) to admin when absolutely necessary. That keeps the window of exposure small. Might require some education, but better than always running as admin.
sleske
  • 10,009
  • 4
  • 34
  • 44
  • Thanks for the comments. Unfortnately, these apps are everything but decent and modern. :-) Many of them are created by a community of amateurs on years-old operating systems, sometimes even requiring access to lmhosts or the win.ini file!! – CesarGon Nov 21 '09 at 02:56
  • +1 for the separate admin account for installing and a normal account for day-to-day work – Oskar Duveborn Nov 21 '09 at 08:41
1

We give users two accounts, a regular user account and an administrative account. You cannot access the internet via IE or email via the administrative account to discourage the use of it.

This solution works really well, with the exception of a few exotic apps.

duffbeer703
  • 20,797
  • 4
  • 31
  • 39
0

2 simple suggestions:

  1. GPO
  2. PowerUser (LocalGroup)

You can customize GPOs regardings your specific needs. That's what I'd do...

r0ca
  • 212
  • 2
  • 10
  • 25
  • How would I use GPO? Can I grant specific users rights to install software locally? Can you give me some details, please? Thank you. – CesarGon Nov 21 '09 at 02:57
0

With 70 machines, I hope you have WDS setup so that you can quickly re-image machines to a standard setup.

Depending on the level of application support you need to provide, it might be worth granting Administrative access to users, but make your support policy for those with Administrator access "Reboot and press F12 to re-image your machine back to a good state."

natacado
  • 3,367
  • 29
  • 27
  • Thanks for your comments. My main concern is not the users who might get admin rights to their machines, but everybody else. If a virus is introduced in the network, for example, I could re-image a machine easily (if that's our support policy with them), but re-imaging the file servers would be something more serious! – CesarGon Nov 21 '09 at 03:22
  • Yes, viruses spreading is always a problem, but assuming you're up-to-date on your patches on the fileservers, it's not as bad as it sounds. You can expect a virus on a client PC to infect content on any fileservers it can write to in hopes others will open it and infect themselves, but the fileserver itself won't be infected unless you open the files as an Administrator on the server (or as a Domain Admin on any machine). Don't run as a Domain Admin unless you mean it, and don't use the servers as a desktop - only log in to do the maintenance you need! – natacado Nov 21 '09 at 05:05
0
  1. VLAN the machines that need admin rights.
  2. Each new machine needs a recovery partition (Acronis True Image does this). Users can re-image when necessary.
  3. Use Citrix to handle corporate software requirements.