ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Re-evaluating Local Administrative User Rights

    Scheduled Pinned Locked Moved IT Discussion
    128 Posts 9 Posters 6.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @1337
      last edited by

      @Pete-S said in Re-evaluating Local Administrative User Rights:

      Well, they need to be admin on their VMs they create for sure.

      They don't, actually. If they were spinning them up completely from scratch... actually even then they wouldn't. It's really not something that devs need unless there isn't IT. If you don't have IT, then you might need it for anyone, even a janitor.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @1337
        last edited by

        @Pete-S said in Re-evaluating Local Administrative User Rights:

        If they need to be admins on their own workstation depends on what tools they need to run there. If they are working like they are on thin clients and use their dev environment for everything, then they need nothing local.

        As someone who owns a dev company, I can assure you devs don't need this stuff. And rarely is it helpful. Devs often demand this, but I can't think of why they'd need it. Devs designing code environments is actually a pretty major, and common, mistake. If the devs are local admins to their dev boxes... how do you know that they are setting up the dev environment in a way that will be reflected in a proper production environment?

        Letting devs do this would actually explain some of the common massive blunders we see in software design where software is built with the expectation of not being deployed in a production manner (for example... by requiring ridiculous dependencies, not considering licensing, or requiring that the software be run as admin.)

        1 Reply Last reply Reply Quote 1
        • jmooreJ
          jmoore
          last edited by

          I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

          DashrenderD ObsolesceO scottalanmillerS 3 Replies Last reply Reply Quote 0
          • DashrenderD
            Dashrender @jmoore
            last edited by

            @jmoore said in Re-evaluating Local Administrative User Rights:

            I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

            This is exactly what IT and those users should be doing...

            It's what I do - I have a user account just like everyone else at my company and a domain admin account for my admin stuff.

            I know that since I can easily do much of my work without local admin - no user in my company needs admin (our uses are pretty low - we are a medical company, not a technical one).

            ObsolesceO 1 Reply Last reply Reply Quote 0
            • ObsolesceO
              Obsolesce @jmoore
              last edited by

              @jmoore said in Re-evaluating Local Administrative User Rights:

              I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

              Perhaps. But actually logging into an admin account means they they would be logged in and have admin rights full time while logged on, and that works around the whole thing.

              As a compromise, I think sticking to exceptions being able to temporarily obtain local admin rights, with warning, acceptance message, etc. That will force consciousness of the fact.

              DashrenderD jmooreJ 2 Replies Last reply Reply Quote 0
              • ObsolesceO
                Obsolesce @Dashrender
                last edited by

                @Dashrender said in Re-evaluating Local Administrative User Rights:

                @jmoore said in Re-evaluating Local Administrative User Rights:

                I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

                This is exactly what IT and those users should be doing...

                It's what I do - I have a user account just like everyone else at my company and a domain admin account for my admin stuff.

                I know that since I can easily do much of my work without local admin - no user in my company needs admin (our uses are pretty low - we are a medical company, not a technical one).

                Domain admin is a totally separate discussion and nothing to do with this.

                DashrenderD 1 Reply Last reply Reply Quote 1
                • DashrenderD
                  Dashrender @Obsolesce
                  last edited by

                  @Obsolesce said in Re-evaluating Local Administrative User Rights:

                  @Dashrender said in Re-evaluating Local Administrative User Rights:

                  @jmoore said in Re-evaluating Local Administrative User Rights:

                  I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

                  This is exactly what IT and those users should be doing...

                  It's what I do - I have a user account just like everyone else at my company and a domain admin account for my admin stuff.

                  I know that since I can easily do much of my work without local admin - no user in my company needs admin (our uses are pretty low - we are a medical company, not a technical one).

                  Domain admin is a totally separate discussion and nothing to do with this.

                  Well - in my case, I only have two accounts - domain admin (i.e. the admin account) and my domain user (non-admin) account. So I use domain admin/local admin interchangably... but I get your point.

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @Obsolesce
                    last edited by

                    @Obsolesce said in Re-evaluating Local Administrative User Rights:

                    @jmoore said in Re-evaluating Local Administrative User Rights:

                    I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

                    Perhaps. But actually logging into an admin account means they they would be logged in and have admin rights full time while logged on, and that works around the whole thing.

                    As a compromise, I think sticking to exceptions being able to temporarily obtain local admin rights, with warning, acceptance message, etc. That will force consciousness of the fact.

                    Are you using a product that allows for this temporary gaining of local admin rights?

                    ObsolesceO 1 Reply Last reply Reply Quote 0
                    • ObsolesceO
                      Obsolesce @Dashrender
                      last edited by

                      @Dashrender said in Re-evaluating Local Administrative User Rights:

                      @Obsolesce said in Re-evaluating Local Administrative User Rights:

                      @jmoore said in Re-evaluating Local Administrative User Rights:

                      I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

                      Perhaps. But actually logging into an admin account means they they would be logged in and have admin rights full time while logged on, and that works around the whole thing.

                      As a compromise, I think sticking to exceptions being able to temporarily obtain local admin rights, with warning, acceptance message, etc. That will force consciousness of the fact.

                      Are you using a product that allows for this temporary gaining of local admin rights?

                      Yes you could say that.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • jmooreJ
                        jmoore @Obsolesce
                        last edited by

                        @Obsolesce said in Re-evaluating Local Administrative User Rights:

                        @jmoore said in Re-evaluating Local Administrative User Rights:

                        I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

                        Perhaps. But actually logging into an admin account means they they would be logged in and have admin rights full time while logged on, and that works around the whole thing.

                        As a compromise, I think sticking to exceptions being able to temporarily obtain local admin rights, with warning, acceptance message, etc. That will force consciousness of the fact.

                        Yes true. I wasn't very clear, a fault of mine. What I do is run under a plain user account and when something that required admin credentials i just enter in those credentials. I was not meaning for the user to just log in as the admin account. Of course you have to trust they will do this, so thats not full proof. Its just what I do.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @jmoore
                          last edited by

                          @jmoore said in Re-evaluating Local Administrative User Rights:

                          However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

                          That's fine if they are authorized. That's how IT should be doing it themselves, IMHO. This is how you properly give that kind of access.

                          ObsolesceO 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @Obsolesce
                            last edited by

                            @Obsolesce said in Re-evaluating Local Administrative User Rights:

                            @Dashrender said in Re-evaluating Local Administrative User Rights:

                            @Obsolesce said in Re-evaluating Local Administrative User Rights:

                            @jmoore said in Re-evaluating Local Administrative User Rights:

                            I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

                            Perhaps. But actually logging into an admin account means they they would be logged in and have admin rights full time while logged on, and that works around the whole thing.

                            As a compromise, I think sticking to exceptions being able to temporarily obtain local admin rights, with warning, acceptance message, etc. That will force consciousness of the fact.

                            Are you using a product that allows for this temporary gaining of local admin rights?

                            Yes you could say that.

                            Why so coy?

                            ObsolesceO 1 Reply Last reply Reply Quote 0
                            • ObsolesceO
                              Obsolesce @scottalanmiller
                              last edited by

                              @scottalanmiller said in Re-evaluating Local Administrative User Rights:

                              @jmoore said in Re-evaluating Local Administrative User Rights:

                              However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

                              That's fine if they are authorized. That's how IT should be doing it themselves, IMHO. This is how you properly give that kind of access.

                              Yes but this topic is more about preventing a blanket local admin rights enablement, identifying risks, pros, cons, and options to compromise. Not really at all about IT's ability to gain local admin rights. Ideally nobody at all will have local admin rights ability. If something is wrong and needs fixed requiring local admin, it can be done via MDM means, ideally.

                              We don't want any one person or account local admin access across the board or across multiple devices either.

                              Intune makes any of these possible, and some are currently in practice, but that's starting to steer off the path a little.

                              1 Reply Last reply Reply Quote 0
                              • ObsolesceO
                                Obsolesce @Dashrender
                                last edited by

                                @Dashrender said in Re-evaluating Local Administrative User Rights:

                                @Obsolesce said in Re-evaluating Local Administrative User Rights:

                                @Dashrender said in Re-evaluating Local Administrative User Rights:

                                @Obsolesce said in Re-evaluating Local Administrative User Rights:

                                @jmoore said in Re-evaluating Local Administrative User Rights:

                                I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

                                Perhaps. But actually logging into an admin account means they they would be logged in and have admin rights full time while logged on, and that works around the whole thing.

                                As a compromise, I think sticking to exceptions being able to temporarily obtain local admin rights, with warning, acceptance message, etc. That will force consciousness of the fact.

                                Are you using a product that allows for this temporary gaining of local admin rights?

                                Yes you could say that.

                                Why so coy?

                                Not intentionally, just wanting to stay on the main discussion.

                                1 Reply Last reply Reply Quote 0
                                • 1
                                • 2
                                • 3
                                • 4
                                • 5
                                • 6
                                • 7
                                • 7 / 7
                                • First post
                                  Last post