Solved

Mac users local admin rights on Windows domain

Posted on 2014-10-09
2
265 Views
Last Modified: 2014-10-28
We currently have several Macs on a Windows domain. We have not deployed any mechanism to manage the macs remotely aside from screen sharing via VNC. These users tend to be graphic artists and video editors. As a result, they are constantly downloading Adobe cloud updates and paintbrushes that require admin rights to install. This is becoming detrimental to their workflow and my staff resources.

What is the best practice for mac users on a windows network operating with admin rights?

Many thanks!
0
Comment
Question by:Dan Caudill
2 Comments
 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 250 total points
ID: 40372737
Probably "best practice" is to not give anyone, a Mac or PC user, admin rights on their own computer.  However, as you can see, that is sometimes fraught with extra work for IT and extra frustration for the users. We made the decision years ago to make all users local administrators of every computer (except servers) in the company. Over the last 15-20 years it has probably saved us tons of man-hours in IT and not caused any major issues.
0
 
LVL 29

Accepted Solution

by:
serialband earned 250 total points
ID: 40373021
I disagree with the supposed "best practice" of denying admin rights for everyone on a Mac.  The only place I see that as "best practice" might be at a school, where multiple users have access to the same systems and the students are more computer savvy than the teachers.  You just don't want them messing around with settings and screwing it up for the next class.

In a normal workforce, I see no reason in not giving local Mac admin rights to a responsible user on their given system.  They are responsible for their work system and completing the work and not destroying their system with viruses and trojans.  You supposedly trained them when they were hired.  If you have an employee that constantly downloads questionable material or messes up their settings, then you might restrict access.  There is a way to restrict admin access to certain programs, so that they could still do the updates for those programs but not give access to other programs.  You have to do it via the command line.  The GUI is currently inadequate for fine tuning certain configurations on a Mac.  Giving a Mac user admin rights, does not affect your windows domain.

It's determined by environment and user base.  Systems that have multiple users should be restricted.  Systems that have a single user don't really have to be if users are trained.  I see no problem with giving a capable workforce local admin rights on the their system.  You only have to take it away when they prove that they don't deserve it.  I would say this privilege applies to Windows systems as well.


P.S. One Caveat, what I said above applies at this time when Macs are still being overlooked by viruses and trojans, because it's still, relatively, a niche market.  There was already one OSX worm a week or 2 ago that targeted macs.  The attacks are eventually coming, but users still can't mess up their Macs with the drive-by downloads for Windows.  One day, Apple will need to add to the "Allow user to administer this computer" with more options than just giving them full admin/root access.  You only have the option to give full access in the Systems and Preferences GUI, but you can adjust that on the command line with /etc/sudoers.  They'll eventually have to come up with an equivalent Power Users setting.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A lot of new and distinct gadgets are making their appearance every other day. The latest gadget that has wooed the attention of all gadget lovers and non gadget lovers alike is the Smartwatch. This tiny gadget is capable of offering live access to …
Learn about cloud computing and its benefits for small business owners.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question