Wednesday, September 26, 2007

Local Admin, or Not?

While at the Church IT Roundtable today we got into a spirited discussion on whether or not users should be local administrators when they login. I'm a strong proponent for letting them be, as long as the network has desktop and notebook images (via Ghost or some similar program) to overcome problems that could arise.

A question was asked by one of the church IT directors: Why do we feel so strongly like we need to lock systems down?

Here's my response:
  • While not wanting to knock Microsoft, we do need to recognize that their operating systems (Windows) have a lot of security holes. They know about many of them, and there are apparently many they don't know about.
  • Microsoft has taught us to engineer our networks to make up for those holes. By teaching us to not give users administrative security rights, Microsoft is teaching us to restrict our users to make up for their limitations.
  • Using programs like Ghost to image systems eliminates the issues that a user with local admin rights might experience because they allow you to re-write the local hard drive in a matter of minutes.
The reasons I prefer to give users admin privileges are:
  • It empowers users to do what they need to when IT is not available to help,
  • It allows updates to be installed as needed without IT help, and thus
  • It reduces the workload of the IT team.
I see it as a win-win. What do you think?


Clif Guy said...

Wow, Nick. I think that's nuts. We haven't allowed local admin for years. Let's discuss more next week!

Nick Nicholaou said...

I developed this topic into a larger article, which is freely available at,com_docman/Itemid,105/task,doc_view/gid,136.

Jim Edwards said...
This comment has been removed by the author.
Jim Edwards said...

Nick I gotta agree with you on this. We setup our users at local admins. I would agree the number one reason is the decrease in workload for our staff, not to mention our users don't develop an IT evil overlord mentality.

Let me put it this way. We've been running our network this way for 3 almost 4 years now, and we have 65 seats. I've had 3 call tickets a month of items that wouldn't have been issues if they weren't local admins. Now I can't tell you how many calls I didn't have cause they are local admins but I feel pretty safe in saying it's a lot more then 3 or 4. As for total rebuilds, we've do about 3 a year.... You'd be amazed how when someone looses there machine for two days, they don't go installing willy nilly for quite some time!

Nick Nicholaou said...

Well said, Jim! That's exactly what our clients have found to be true!


Bobby Stewart said...

Tried the link at mbsinc and got a 404 error.

Nick Nicholaou said...

Which link are you referring to, Bobby? Let me know so I can fix it.