We have a domain group setup on each PC that's a member of the local
administrators group. Users can be added as members of this domain
group for administrator access for a very limited time to allow for
quick installation of software etc.
Anyone who has a laptop gets local administrator rights. This avoids a
lot of issues when they are away from the office and need to install
software.
Firmin Charlot, MCSE, A+, Information Systems Manager
Educational and Support Services 162 Student Services Building East
Lansing, MI 48824
[log in to unmask] (517) 432-7541
Submit technical requests at http://help.ess.msu.edu/
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of Richard Wiggins
Sent: Monday, November 19, 2007 3:00 PM
To: [log in to unmask]
Subject: [MSUNAG] How do you manage Administrator access for your users?
I'm curious how folks manage access to Administrator accounts. One
piece of
advice is to create a general user account and use it at all times
except
when you need to install a program or make another system change. That
way
it's harder for spyware or other malware to break in.
My question is whether those of you who manage fleets of machines give
your
end users access to the Administrator account, even if you encourage
users
to follow the above advice.
You may have noticed that ACNS will be updating the SSL VPN to support
Mac's
new Leopard operating system. Whenever the SSL VPN is updated, users
need
to upgrade the Java client installed on their computers, and this
requires
admin access. (See
http://servicestatus.msu.edu/status_detail.php?id=1995)
Obviously you'd want to avoid the scenario where your user is on the
road
and needs to update the client but they don't have Administrator access.
There are other examples. Once I was using a loaner laptop and could
not
connect to a Wi-Fi network on the road because it was not an encrypted
network, and Windows demands Administrator access to connect anyhow.
During last Friday's wireless test folks needed to be sure they had a
Java
VM installed, and to install a speed test applet.
Or maybe you need to upgrade software for some reason while on the road.
OK, enough examples -- I look forward to hearing how you handle this.
/rich
|