Since I came from the private sector in the past few years, I can let you know how we ran the network...
We had two classes of users; those who had company owned equipment and those who didn't. For those who had company owned equipment (Laptops or Desktops), we managed their computes fairly tightly. We didn't give those users Admin rights ever to their PC. We started the users off with regular Users accounts in Windows. If they proved to the admin group that they knew what they were doing, we often promoted them to Power Users. This allowed them to do what they needed to do on their own PCs. Some users were just not trusted to do stupid things, such as install p2p apps or the like on their PCs. Our staff provided a full range of services to those people who wanted it -- we would install all software applications, manage anti-virus, etc. for those users. Company owned equipment was eligable for full backups as well -- all the user had to do was keep their PC on during the night and their data got captured. It worked well.
Users who owned their own equipment (typically sales people), were segmented off from the regular network. To gain access to our network, they could either VPN in (from the DMZ ethernet or wireless), or they could use the Citrix connection. Most sales people used the Citrix connection, as it was too difficult for them to keep their virus signatures up to date (which was checked each time they attempted to VPN in). Our staff would only provide support on the Citrix desktops for these users.
Switching to my role on Campus, I am not a system administrator. Physical Plant's BPO (IT Staff) keeps very close tabs on the systems they run, and don't seem to allow any users Admin rights to their machines at all. Sometimes for those of us who have to perform special functions on their computer (such as system programming) as their job it can sometimes become a hinderance, but they are very responsive to any requests to have software installed on our PCs. I have two PC's sitting on my desk : one that is managed by them and has access to their network resources, and one I manage that does not. Since I'm probably a special case in the Physical Plant, this seems to work for me, and considering the user-population they have to support their scheme seems to be working well.
-Nick Kwiatkowski
MSU Telecom Systems
I'm curious how folks manage access to Administrator accounts. One piece of
advice is to create a general user account and use it at all times except
when you need to install a program or make another system change. That way
it's harder for spyware or other malware to break in.
My question is whether those of you who manage fleets of machines give your
end users access to the Administrator account, even if you encourage users
to follow the above advice.
You may have noticed that ACNS will be updating the SSL VPN to support Mac's
new Leopard operating system. Whenever the SSL VPN is updated, users need
to upgrade the Java client installed on their computers, and this requires
admin access. (See http://servicestatus.msu.edu/status_detail.php?id=1995)
Obviously you'd want to avoid the scenario where your user is on the road
and needs to update the client but they don't have Administrator access.
There are other examples. Once I was using a loaner laptop and could not
connect to a Wi-Fi network on the road because it was not an encrypted
network, and Windows demands Administrator access to connect anyhow.
During last Friday's wireless test folks needed to be sure they had a Java
VM installed, and to install a speed test applet.
Or maybe you need to upgrade software for some reason while on the road.
OK, enough examples -- I look forward to hearing how you handle this.
/rich