1

What is the opinion of everyone out there about having local admin rights for a developer on their local machine? Or at least the ability to do it such as through runas without having to rely on someone else?

Jake McGraw
  • 55,558
  • 10
  • 50
  • 63
Kevin LaBranche
  • 20,908
  • 5
  • 52
  • 76

7 Answers7

4

It depends on what you mean by "Developer".

DO NOT Grant Local Admin if...

Your "Developers" take business requirements and translate them verbatim into program code, in a well-developed, proven environment.

DO Grant Local Admin if...

Your "Developers" are Software Engineers that have the freedom to be creative, find new solutions, challenge the status quo of the software development process.

Eric J.
  • 147,927
  • 63
  • 340
  • 553
1

I think it is a good idea. I'm for it. For all the development teams I have managed, I have insisted on it from IT.

Also, I usually push for rights to allow programmers to temporarily disable on-access virus scanning on their workstations.

JohnFx
  • 34,542
  • 18
  • 104
  • 162
  • Virus scanner screws up lots of stuff... Visual studio debugger doesn't even run properly – jle Aug 05 '09 at 03:12
1

Absolutely necessary. And regular users should never have admin privileges.

Cuga
  • 17,668
  • 31
  • 111
  • 166
1

Depends on what you want your developers to write. For example, as a proof of concept, I fired up Eclipse + Apache + MySQL + Php (XAMPP) on a machine where I didn't have admin rights and I was able to do a lot. On the other hand, there is no way I'd be able to do effective ASP.NET + SQL development on locked down/no-admin-rights machine.

Also, if the code under development has to operate under no-rights, it can be useful to develop that way, e.g winforms apps.

Otherwise, as a practical matter, if the network admins cripple the corporate machines enough, developers will stop using them and use their personal machines, the suits will stop asking internal developers for work and start hiring outside contractors (who do own machines they have right to). I've seen the these patterns, too.

MatthewMartin
  • 32,326
  • 33
  • 105
  • 164
0

I've found that most development tools require the user to be an admin to work correctly in all cases. It's a little annoying since, as a developer, we should switch to a non-admin account for testing, but it's doable.

However, if your question is "should we have to be an admin user to use our tools," then my answer would be no. Unless you're writing a driver, there's really no good reason (that I can think of) where an admin account should be required.

Michael Todd
  • 16,679
  • 4
  • 49
  • 69
  • It's along the lines of just getting our job done.... we already do things like runas for IE to run as a vanilla domain user to check ourselves from time to time.... So it's more along the first part of your answer.... – Kevin LaBranche Aug 05 '09 at 03:07
0

Regardless of what the opinions of people here are -- and I think it's a pretty safe bet that most developers are going to think they need admin rights -- the question of whether your developers actually get admin rights is in the end going to come down to a complex interplay of politics, security policy, and Clue distribution at different levels of your organization.

In other words, if you're trying to poll the crowd here to get ammo for an argument, you've probably already lost...

genehack
  • 136,130
  • 1
  • 24
  • 24
  • I am really trying to poll the world at large as to what they have... You are right. Asking this to dev's will likely result in high affirmatives. I was more asking which I did not state well is what are other shops doing? We do have local admin rights in our shop but the question has been raised if we need them. – Kevin LaBranche Aug 05 '09 at 03:37
  • Well, I can tell you that .gov is in the process of systematically removing admin rights across the board for anybody who isn't in an admin role -- secretary or developer, it doesn't matter. Now, you can get waivers, etc., but depending on where you are, it's more or less of a fight, and may or may not be worth it. This is where I'm saying it's just going to depend on where you are, the politics there, whether security people have the ear of decision makers or whether developers do, etc. – genehack Aug 05 '09 at 03:41
0

This may depend on what you are trying to achieve and if any COTS products you are using require adminstrative priviledges. This might be required to use the product or to get it to run in your enviornment correctly.

For the developers in my area, they have to be approved for admistrative rights for their local box. It has been helpful in trying to troubleshoot issues, but has not always been necessary.

Some reasons you may not want them, would be if the user might not have those rights or priviledges. This might help find errors or issues, such as writing data to directories where the user might not have any priviledges. Depending upon where it is being install, there may be restrictions on the users priviledges, so not having priviledges may help in making sure it will work in the intended environment.

Glenn
  • 1,169
  • 1
  • 14
  • 23