Re: Must all users be administrators?

From: Jeff Middleton [SBS-MVP] (jeff_at_cfisolutions.com)
Date: 05/21/04 

Date: Fri, 21 May 2004 12:06:52 -0500

I offer a simple observation to illustrate the challenge and potential
opportunity here.

It is an exceedingly rare venue that is a theater, stadium, arena or
whatever that offers chewing gum at the concession stand. Why? Because you
can't charge enough at the concession stand for the gum to pay for the
cleaning crew to scrape it off of the seats and walking surfaces 4 hrs
later.

It's a pet peeve of mine that MS designs software on the basis of providing
a single product to server every permutation of user interest in the entire
world, and yet, I'm not give the ability to get the 80% of the stuff
designed for "other people" out of my way as a user, or as an Administrator
for a group of users. Really, the boss in most companies would not hand
every employee an Office Depot catalog the day they get hired and ask each
one to "browse through the pages of all the furniture and accessories you
see there, pick out what you like, I'll have it delivered for you."

The physical world with purchase prices involved reveals how idiotic this
is. Why would the owner of a business decide to renovate a cubicle for each
individual employee if it....uh....cost actual money?

There's an education problem, I think Anne has put a finger on this, and
unfortunately, the problem for IT contractors is that if you are negotiating
for your own fee, it's hard to say "I'm going to bill you for preventing
this or bill you for cleaning it up" because everyone who studied
high-school algebra knows that with

fee = fee
.. you cancel on both sides of the equation and in business that means you
do nothing. Unfortunately, the means that our equation is:

management doing nothing = staff do anything they want + C

Management likes to assume that "C" = 0, but in fact the C represents the
constant loss of productivity and efficiency in the business use of the
business assets because of the tension created by staff having the ability
to degrade their workstation's reliability, if not just consistency in
configuration, therefore people do things differently for no better reason
than that the company doesn't choose to organize it's own workforce and
tools to work on a common pattern of method.

Sure, something probably matter little in practical sense. Makes little
difference if the desktop wallpaper is a picture of a sportscar or a guy's
wife. Well, unless the picture is the wife of somebody else in the company
and the picture if unflattering. :) There's the implication for politics
and morale as well as moral issue implied. At some point, all of this
converges to be a question of "how much does a company want to put up with
and deal with unlimited flexibility?"

Is a business truly better off if all the users can do anything they want
and still get paid? One might think that even if it's a small part of the
problem, it's still part of a problem, and if the company is paying the
bills, then maybe, just maybe, the staff should not consider it a right of
employment that they can watch DVD movied on their workstations while they
are supposed to be.....working. Just because MS built it into the default
feature set, doesn't mean that it makes sense to offer all features to the
staff in a business environment.

"Anna Clark" <anna.clark(remove this)@verizon.net> wrote in message
news:uMX0TKhPEHA.3140@TK2MSFTNGP11.phx.gbl...
> Hi Jeff:
>
> As usual, you have supplied the most information... but I am still
puzzled.
> With these mostly young men, they don't understand why they can't do
> "anything they want" with the company computer. Even if this problem with
> the mortgage software (in this particular case) did not exist, there would
> still be the problem of them demanding from computer un-savvy, to say the
> least, management, that they be able to install what ever they want on the
> company computer.
>
> Add to this that there are 10 to 15 of these young people and only 4
> computers, and you can see that what pleases user1 does not please user2,
> etc. They all take turns, and some remember to log off, some don't.
Sally
> likes blue on green type, Fred likes green on blue.
>
> I am not upset over this, it is a job of training the management and the
> users. What I am upset about is the extensive use of the administrators
> group on the local workstation. Unless the end user is an administrator,
> he/she complains and management does not want to hear that. If the users
> are complaining, the consultant MUST NOT BE doing his/her job. But if
> EVERYONE is an administrator, each user is at the mercy of ALL of the
others
> to keep the apps, printers, etc. intact.
>
> Not my idea of good housekeeping. To paraphrase Martha Stewart, "That's
NOT
> a good thing!"
>
> As bad, if not worse, I think, is that just to install the SBS client and
> all the software and user rights, the Administrator must visit every
> workstation. Makes for a long, long day if there are 20 or 50 or 75
> workstations joining the new SBS network. If one wants to share the load
> with an employee of the organization one must make that person an
> administrator before they really know anything at all. True, you could
then
> go back and change the password for the "asst_admin" if you wanted, but
just
> to get the workstation to join the domain requires admin status, and
> therefore the disclosing of more than an untrained person should probably
> know.
>
> Anna
>
>
> "Jeff Middleton [SBS-MVP]" <jeff@cfisolutions.com> wrote in message
> news:OyqdBaePEHA.1036@TK2MSFTNGP09.phx.gbl...
> > As was indicated by a couple of people in this thread, you find that
> adding
> > the users to Domain Admins solves the problem because when SBS
configures
> > the workstations joining the domain, it ensures that the Domain
> > Administrators account is a member of Local Administrators on each
> > workstation. Hence, making a user a member of Domain Admins has the
impact
> > of making them Local Adminstators at their own station. Make sense?
> >
> > So as was indicated, if you go to each machine and make Domain Users a
> > member of Local Administrators, you have accomplished the same result at
> > that workstation but, really you haven't done a good thing. Effectively,
> you
> > have established that every account in the domain is now a workstations
> > administrator, and this is begging for troubles. Still, a lot of people
do
> > that.
> >
> > If you ran the SBS wizards to setup every user per workstation they use,
I
> > believe that SBS still makes that user a member of the Local Workstation
> > Administrators. At that point, you have limited the power to a one to
one
> > relationship of the users at their own workstation, but that still isn't
> > great, but it's better.
> >
> > Ideally, what you really want to do is solve the reason that the
> application
> > is causing this grief. That would be to determine if the application is
> > requiring full permissions to a particular folder, or to a particular
> > section of the registry on the workstation that normal users don't have
> > permissions to control, just read permissions. If it's a folder, you can
> > change the permissions to be "Domain Users: Full Control" and now you
have
> > really done a nice thing. Your users have full control over the specific
> > folder the application in question is worried about, but you don't have
to
> > make your users members of Administrator anywhere. The same process
> applies
> > for registry locations, but it's a bit less obvious when this goes on.
> >
> >
> > "Dave Nickason [SBS MVP]" <gwdibble@NOSPAM.frontiernet.net> wrote in
> message
> > news:%23judI$cPEHA.3044@TK2MSFTNGP10.phx.gbl...
> > > What happens if you go into the security settings of the folder in
> > question,
> > > and give whatever permission Administrators have to Authenticated
Users?
> > > Theoretically, that would solve the problem.
> > >
> > > I ran into this with a program from the abstract company, where it
> wanted
> > to
> > > write files to the workstations' root directory. I asked them to
change
> > > their program to write to a directory under Documents and Settings
> rather
> > > than give the users write permissions to the root directory. They
were
> > > willing to rewrite their program knowing that they were going to run
> into
> > > the issue on every default winxp workstation they installed it on.
> > >
> > > IMO giving all users admin rights is an invitation for a disaster.
> You'll
> > > have no control over what's installed on the workstations, including
> > > spyware, downloaded trojans, kazaa, shareware, etc.
> > >
> > >
> > > "Anna Clark" <anna.clark(remove this)@verizon.net> wrote in message
> > > news:ePYPI%23bPEHA.2580@TK2MSFTNGP09.phx.gbl...
> > > > Hello everyone:
> > > >
> > > > One of my sites has a problem. The are a mortgage broker company
and
> > use
> > > > a
> > > > software that requires that they save their loan applications to a
> > folder
> > > > on
> > > > the local workstation.
> > > >
> > > > Unless their domain id is part of the local adminstrators group,
they
> > > > cannot
> > > > save the file.
> > > >
> > > > Moreover, it seems to me that to make an end user any less than an
> > > > administrator over the local system is just asking to make trip
after
> > trip
> > > > to the site to give disgruntled users permissions to do this and
that.
> > > >
> > > > How do others handle this problem, if it is a problem... or have I
> > missed
> > > > something basic.
> > > >
> > > > I take care of SBS W2K, and SBS 2K3 sites where the clients are XP
Pro
> > or
> > > > W2K Pro and face this issue at all of them.
> > > >
> > > > Thanks for your input.
> > > >
> > > > Anna
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Event ID 6032
    ... So are these files actually on the SBS box, or on the workstation? ... The Recovery Agent does not need ownership, but it has to be the ... Administrator account by default, but it would not have to be. ... decrypt the files by reversing the process in which you encrypted them. ...
    (microsoft.public.windows.server.sbs)
  • Re: "Classic logon" screen in XP does not remeber the user name
    ... not use the default (Administrator) user profile, as a precaution to not mess ... John N ... When I am at the server, ... and log onto a workstation, that workstation immediately goes to a locked ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Cant logon from workstation as Administrator
    ... problem from all workstations as Administrator - which could indicate a ... newsgroups so that they can be resolved in an efficient and timely manner. ... be able to logon using ANY accounts from that workstation. ... the roaming profile for the user account and test the issue again. ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon Failure User Account Restriction
    ... Active Directory and several XP Pro workstations attached to it. ... workstation that acts as a file server. ... enter 'administrator' and 'mypassword' to gain access. ... entirely, reinstalled XP, and only put on networking drivers. ...
    (microsoft.public.windowsxp.basics)
  • Re: User authorisation
    ... Can you try and access another workstation that is member of domain -- from ... Is there anything in the log of member server? ... server_name\administrator and enter password for local administrator. ...
    (microsoft.public.windows.server.general)