If you run a typical IT office, users tend to operate in the context of standard users. It’s a pretty standard practice in most IT shops and it’s the application of the Principle of Least Privilege. Unfortunately, this practice is not so appreciated outside of the IT Office where users who find out they’re restricted in one form or another absolutely demand that they have admin rights. In this hostage negotiation, if you won’t give them what they want, they’ll go straight to administration and scream that you are in their way of being productive (negating how much time is being taken up by this fruitless argument) despite the fact that users with admin rights require more maintenance and upkeep than standard users in a locked-down environment.
Now you can boost that ego while still maintaining a secure networked environment. Introducing the Admin Rights button:
Proudly wear it on your chest! Let everybody know that you have administrator privileges on your local computer.
It can let everybody know that this individual in your organization is the shiz-nit without compromising your security. For example, if John didn’t have admin rights but Jane did and both wound up infected with malware, the results will most likely conclude to Jane’s computer requiring more time to clean up and less confidence that the malware is actually eradicated.
It seems we face the question of why individuals can’t have admin rights with 3 common occurrences:
- They’re new and they had admin rights at their old job. No matter their new responsibilities and the new environment, they want admin rights from Day 1.
- They found out someone else had admin rights and can’t be left behind.
- They run into something they can’t do but need to do.
Option one is not a great way to start off a new job. While you’re still getting accommodated to an organization, to me, it seems best to play by the company’s rules for a while before you start throwing temper tantrums.
Option two is just playing into the office politics and I’m pretty sure IT doesn’t want to be roped into that no-win game. If nobody else is given admin rights, this reason is usually negated for a centrally managed organization.
Option three is the only legitimate reason to actually need administrator level privileges. However, many of the things that a person isn’t technologically allowed to do as a standard user are also things they’re not allowed to do according to company policy. For example, installing software is usually restricted from standard users. A company must remain compliant with its software licenses and most people don’t understand even the Software License Basics. By clicking the “I agree” button to an end-user license agreement, you may be agreeing on behalf of your organization with legal ramifications. The other practice of constantly installing/uninstalling trial software gets old fast and cheats (obviously) good companies. Many other tasks can be permitted granularly by changing file access permissions; while admin rights will address the problem, they are not required as a blanket solution.
If there is legitimate reason to require administrator privileges, a second account should be created that has the needed rights. Best practices would have the individual using the standard account at all times until higher privileges are needed. At that point, either through logging off/on as the elevated account or using the Run As… service in Windows to create an elevated Window. Clearly, you don’t need to be running as an administrator when you surf the Cyber Monday deals on your lunch break.
Just an FYI, if a request comes in to report a problem and admin rights are requested, it usually ends up at the bottom of the pile. Your IT might have the same view.