Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the '10.6: Make a temporary Administrator account' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6: Make a temporary Administrator account
Authored by: tom larkin on Mar 31, '11 04:31:53PM

I also am a sys admin for a large deployment of macs for a school system. We have 6,000 macbooks and 1,500 to 2,000 mac desktops. I would never give a managed user admin rights, because it tosses out all security I have in place right out the window. If something needs to be pushed out, I do so over the network with client based software, furthermore if it is something the user needs to trigger I accomplish this with self service policies (Casper Suite), but the same thing could be accomplished with things like radmind, munki, and other free solutions that are client based and run as admin under-the-hood. That is of course if you cannot afford to buy a license of Casper or Absolute. The good thing about the pay for Enterprise tools is that they just work, where the open source ones are more like roll your own.

I have been in bad situations like this before because of politics and have had to do things like temporary admin rights, but it never did as much good as it did bad with managing my clients at work.

I fail to see an actual example why you need to give managed mobile users admin rights. If they need to be admin there should be a valid reason, installing printer drives is not really a reason I would call valid. If a user takes their laptop off campus and uses it at home, and really needs admin rights for a valid reason we would explore that. As far as drivers go, I package all the most up to date printer drivers in my image, and end users can execute software update via self service themselves.


[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: chadvonnau on Mar 31, '11 07:04:12PM

I've had the opposite experience. I'm rather permissive with giving out local admin rights and have yet to be seriously burned. At the end of the day, being a sysadmin is all about having happy, productive users. I'd rather sacrifice security to have a better relationship.

I've only worked in places with 300 users or less, though. 9000 is a different ball game.

[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: tom larkin on Mar 31, '11 07:28:34PM

If I didn't work in academia it would be a different game all together. Adults get fired when they tamper with company equipment maliciously, students don't have much to lose rather than some discipline like suspension. I'd love to give everyone admin rights, if I could be sure that it wouldn't blow up in my face. At one point in time we let non IT staff control some computer labs, and passwords got compromised and students installed Quake 3 on every PC in the lab.

Don't get me wrong though, I totally 100% agree with you. I want my users to be happy and have the best experience, but unfortunately teenagers like to cause trouble and will do things like load video games on every computer they can.

[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: macsadmn on Mar 31, '11 07:47:49PM

As mentioned, we also use a software deployment solution. In my opinion, it's the only way to go when you have large deployments. We too push out the most popular printer drivers, but I was merely giving an example of where someone could use this solution. There is occasionally the odd all-in-one printer that comes with "special" software that we don't care to make a software set for.

More applicably, one example that happened to me recently involved one of our district administrators attending a demo/trial on a remote system. The demo required him to run a Juniper web VPN connection and then RDP to a "localhost". Each time the VPN connection was made, it required an admin password to modify something dealing with java. After the 3rd time of being interrupted from my work and running down the hall to type in my credentials, I figured it was time to work out a reasonable solution :-)

Another example I've seen deals with wireless. I've rarely seen this happen, but we do have a neighboring University that has an unusual wireless system that prompts our teachers for an admin password to install something in order to join. Since we allow our staff to use their computers for personal-professional use, this helps with that scenario.

As for students... we have never used this solution for a student account and I cannot see us ever doing that, not even in a 1-1 deployment. With that said, we all know that once a user has a computer in his/her possession and physical security is breached, then they can bypass all security with some easy to find tools and a little reading on the web :-)

[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: tom larkin on Mar 31, '11 07:57:15PM

Oh yeah trust me, I have a system of catching hackers because anytime you give a teenager all the time in the world, Google, and their laptop off campus, they will eventually find away around your security. I have a script that checks for admin membership and if so flags the system for abuse. It is impossible to stop someone with physical access, but it is very possible to play detective and catch those who hack machines.

We actually give all our staff local admin accounts anyway. So they have admin rights to their machines, we just don't make their account an admin so they aren't always logged in as an admin. Some directors and stuff are just plain stand alone machines, which aren't even imaged or bound to server. We just load the Casper client on them so they can get software.

I just don't like the concept of temporary admin rights. I think either the user needs it, or they don't. That is all. Thanks for the tip.

[ Reply to This | # ]