Mac users local admin rights on Windows domain

We currently have several Macs on a Windows domain. We have not deployed any mechanism to manage the macs remotely aside from screen sharing via VNC. These users tend to be graphic artists and video editors. As a result, they are constantly downloading Adobe cloud updates and paintbrushes that require admin rights to install. This is becoming detrimental to their workflow and my staff resources.

What is the best practice for mac users on a windows network operating with admin rights?

Many thanks!
Dan CaudillAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
serialbandConnect With a Mentor Commented:
I disagree with the supposed "best practice" of denying admin rights for everyone on a Mac.  The only place I see that as "best practice" might be at a school, where multiple users have access to the same systems and the students are more computer savvy than the teachers.  You just don't want them messing around with settings and screwing it up for the next class.

In a normal workforce, I see no reason in not giving local Mac admin rights to a responsible user on their given system.  They are responsible for their work system and completing the work and not destroying their system with viruses and trojans.  You supposedly trained them when they were hired.  If you have an employee that constantly downloads questionable material or messes up their settings, then you might restrict access.  There is a way to restrict admin access to certain programs, so that they could still do the updates for those programs but not give access to other programs.  You have to do it via the command line.  The GUI is currently inadequate for fine tuning certain configurations on a Mac.  Giving a Mac user admin rights, does not affect your windows domain.

It's determined by environment and user base.  Systems that have multiple users should be restricted.  Systems that have a single user don't really have to be if users are trained.  I see no problem with giving a capable workforce local admin rights on the their system.  You only have to take it away when they prove that they don't deserve it.  I would say this privilege applies to Windows systems as well.


P.S. One Caveat, what I said above applies at this time when Macs are still being overlooked by viruses and trojans, because it's still, relatively, a niche market.  There was already one OSX worm a week or 2 ago that targeted macs.  The attacks are eventually coming, but users still can't mess up their Macs with the drive-by downloads for Windows.  One day, Apple will need to add to the "Allow user to administer this computer" with more options than just giving them full admin/root access.  You only have the option to give full access in the Systems and Preferences GUI, but you can adjust that on the command line with /etc/sudoers.  They'll eventually have to come up with an equivalent Power Users setting.
0
 
jhyieslaConnect With a Mentor Commented:
Probably "best practice" is to not give anyone, a Mac or PC user, admin rights on their own computer.  However, as you can see, that is sometimes fraught with extra work for IT and extra frustration for the users. We made the decision years ago to make all users local administrators of every computer (except servers) in the company. Over the last 15-20 years it has probably saved us tons of man-hours in IT and not caused any major issues.
0
All Courses

From novice to tech pro — start learning today.