Solved

Mac users local admin rights on Windows domain

Posted on 2014-10-09
2
258 Views
Last Modified: 2014-10-28
We currently have several Macs on a Windows domain. We have not deployed any mechanism to manage the macs remotely aside from screen sharing via VNC. These users tend to be graphic artists and video editors. As a result, they are constantly downloading Adobe cloud updates and paintbrushes that require admin rights to install. This is becoming detrimental to their workflow and my staff resources.

What is the best practice for mac users on a windows network operating with admin rights?

Many thanks!
0
Comment
Question by:Dan Caudill
2 Comments
 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 250 total points
Comment Utility
Probably "best practice" is to not give anyone, a Mac or PC user, admin rights on their own computer.  However, as you can see, that is sometimes fraught with extra work for IT and extra frustration for the users. We made the decision years ago to make all users local administrators of every computer (except servers) in the company. Over the last 15-20 years it has probably saved us tons of man-hours in IT and not caused any major issues.
0
 
LVL 27

Accepted Solution

by:
serialband earned 250 total points
Comment Utility
I disagree with the supposed "best practice" of denying admin rights for everyone on a Mac.  The only place I see that as "best practice" might be at a school, where multiple users have access to the same systems and the students are more computer savvy than the teachers.  You just don't want them messing around with settings and screwing it up for the next class.

In a normal workforce, I see no reason in not giving local Mac admin rights to a responsible user on their given system.  They are responsible for their work system and completing the work and not destroying their system with viruses and trojans.  You supposedly trained them when they were hired.  If you have an employee that constantly downloads questionable material or messes up their settings, then you might restrict access.  There is a way to restrict admin access to certain programs, so that they could still do the updates for those programs but not give access to other programs.  You have to do it via the command line.  The GUI is currently inadequate for fine tuning certain configurations on a Mac.  Giving a Mac user admin rights, does not affect your windows domain.

It's determined by environment and user base.  Systems that have multiple users should be restricted.  Systems that have a single user don't really have to be if users are trained.  I see no problem with giving a capable workforce local admin rights on the their system.  You only have to take it away when they prove that they don't deserve it.  I would say this privilege applies to Windows systems as well.


P.S. One Caveat, what I said above applies at this time when Macs are still being overlooked by viruses and trojans, because it's still, relatively, a niche market.  There was already one OSX worm a week or 2 ago that targeted macs.  The attacks are eventually coming, but users still can't mess up their Macs with the drive-by downloads for Windows.  One day, Apple will need to add to the "Allow user to administer this computer" with more options than just giving them full admin/root access.  You only have the option to give full access in the Systems and Preferences GUI, but you can adjust that on the command line with /etc/sudoers.  They'll eventually have to come up with an equivalent Power Users setting.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Apple iTunes Authorization 5 46
SRX240 SYSLOG Setting 6 50
Data center mess 4 45
fiber and Gig ports on 3650 5 9
Usually shares are where we want them for our users and we tend to take them for granted. There are times, however, when those shares may disappear causing difficulty for your users. One of the first things to try is searching for files that shou…
Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now