Security

SunBow;

For me it can go either way; it becomes an issue of how much the general user use or misuse the privilege.  Frankly; I can ghost a machine in 15 minutes and install apps in another 45 minutes depending on the build requirement.  So anything a user does to 'destroy' a PC; it can be rebuilt.  

Now the problem becomes; what is the ramification if the user installs illegal software; installs software that utilizes too much bandwidth or causes management a discomfort or issues.

> Let him have a test domain, own lan, etc
Wow I want to work for you...

Regards,

Still the theroy doesn't make sense. This user keep asking local admin privellege for his domain user id. He is using PLC machine program. He is programmer. Anyway, the theroy i confused is most application doesn't need the admin privellege unless they install/uninstall the software. For example if he got some virus because of any installation software isn't that going to spred around the network. As system admin i am trying to restrict the user to install programs. I am in a bad place now. People come and asked me to fix issue within 5min. I never used that 3rd party software ever. Many people uses many software. They think IT person should be able to fix anything right away. Its hard to explain to enduser. I don't how this concepts works.  Now i am supporting

lotus domino/notes
Server 2003
Database administratoion
Help desk for 120 users.

they want me to create DRP and so many other duties. I am only one person in the company.  I have recently got a Unix support job offer. I am thinking to switch from here. I think i will be able to concenrate on one thing and stable.

If you have to give him local admin rights, get him to first sign a contract which makes him responsible for the damage he does, for instance that he (or his department) can be made to pay for the time you waste to setup his PC again...

Then switch to the unix job, it is much more rewarding :)

Look into runas, but local admin on one pc, should be ok. Try power user rights first incase that's enough, you don't always need admin to do admin things. Change the local admin password to one that is different than the others on the domain, in addition, if admin is a must, simply create another user on the pc, and add that to the local admins.
Perhaps scheduled tasks can help, you can create them to kick off upon login...
http://www.xinn.org/RunasVBS.html
-rich

its not easy to say the least and sounds like you are overworked.  There should be at best 5 more of you there to provide a better tech to user ratio 1:20 or 1:40 depending on how the jobs are split up.  The user base vaguely sounds like something close to a runaway train with no control or reprocussion for the install of non company authorize software.  

As an act self preservation; it may be best to go for an alternate job.  But if you decide to stay; this issue from the tech side is

1. give his domain account local admin rights and it gives him the capability to mess up his computer.  your choice.  He probably does not know enough to write his app around needing specific services protected by Windows.

2. the structured rights that MS attempted to setup in a Windows Domain has been adhered to and circumvented by various application companies; the addition of their software may or may not require specific rights to add to certain existing folders, and may or may not require the addition of information to the registry. Confusing huh...

You may want to see about working with management to establish rules of conduct on the computer.  no porn on the computers, no visiting of non work related sites; no multi-cast broadcast sites like internet radio or Launch.  Then provide the costs of non-compliance; in terms of down time (cost of that person's salary during this act; cost of this person's down time; cost of lost productivity; cost of your time to repair this issue; cost of your diverted time from your actual project; while these costs may seem redundant to you; to a business manager it is a negative on many aspects of his reports.  But you see the idea).

Oh btw I've learned a long time ago; fixing a problem isn't just about fixing a problem.  If someone causes a problem by an action that they did, make you fix it and is not reported to management; the problem never happened and the cost of your time fixing the problem just disappeared.  So if you spent 4 hours fixing someone else's problem without it being recognized as an issue casused by a user and fixed by you; that was just 4 hours of productivity lost.

Hopefully I didn't go off on too wide of a tangent there...  Sorry if I did.

Regards,

hi ittechlab,

just make things easy! really no need to consider compromising with your policies, it will give you headache.

just let that person run his application in a virtual PC on his computer. he can have the admin rights on this VIRTUAL computer, he can run his system-folder-depended application on it, he can do anything on it as he like.

no worries about his admin rights. his rights only belong to that virtual computer. any thing the virtual computer can do depends on the rights his physical computer can do, which are actually controlled by you, the domain admin.

a lot of VM (Virtual Machine) solutions are available, either free or commercial.

Microsoft Virtual PC 2004
http://www.microsoft.com/windowsxp/virtualpc/

Microsoft Virtual Server 2005 (FREE!!)
http://www.microsoft.com/windowsserversystem/virtualserver/

VMware Workstation 5.5
http://www.vmware.com/

hope it helps,
bbao

I don't have anyone to backup my side. For whom i report he is always silent. I am totally trying to move from this company. I didn't like at all. I have to look for better job now. I think its very boring and also its touch for me to stay as one person doing this all.

I have to check all IT issues, Help Desk and Server issue. I guess i need to leave.

You should also report to HR that your not being listened to. http://www.mrsc.org/focus/hradvisor/hra0502.aspx
http://sanjose.bizjournals.com/bizwomen/sanjose/consultants/at_work/2003/03/10/column54.html
-rich

I do teach part-time and feel so happy. No issues like this and people are happy. In some company you don't get a reward for doing things. They treat like animal. I really frustrated about the job now.

Unfortunatly 9 times out of 10, the people who run companies and manage departments, have not idea how computers work, or even worse, think they know but are wrong. Further some are lazy and never listen anyway. It's often reffered to as Toxic Boss syndrome
http://abcnews.go.com/GMA/story?id=1251305
http://monster.typepad.com/monsterblog/2006/03/is_your_boss_to.html
http://adminsupport.monster.com/articles/bad-boss/
-rich

the topic changed? hehe. ;-))

I can't accept the above message. This is not always true. If you have confident and understand the concept why would you bother to stay and look for money. I always like to challenge. I don't have anyone in here for IT questions and discussion. Alwaysly users blaim computer issues so they get some time off from their work.

You can ask for your points back, and the question to be deleted in the community support TA if you'd like.
-rich

have you considered the VM based solution?

My company doesn't buy any VM software. Its so hard to get approval.

Microsoft Virtual Server 2005 (FREE!!)
http://www.microsoft.com/windowsserversystem/virtualserver/