Re: Windows local admin in a .edu environment

[Eric Case <ecase () EMAIL ARIZONA EDU>]

At 04:09 PM 1/30/2008 -0600, Hull, Dave wrote:
> I have had some IT folks from other departments tell me that what we're
> doing in our department doesn't scale up because they would have to
> spend lots of time running around installing software for people. I've
> found the opposite is true, I spend much less time putting out fires
> caused by an ignorant user running as admin and so I have time to
> actually provide assistance when it's needed.

In the sprite of full disclosure, I am a huge proponent of least
privilege.  As Dave and other have stated, the investment in end user
education will pay dividends in the areas of security and general IT
management and maintenance.  However, you might not expect the need
to invest in your IT staff.

That is what other IT departments mean when they say it "doesn't
scale up because they would have to
spend lots of time running around installing software for
people."  Their IT staff needs to learn to do many of those tasks
remotely, even without remote desktop.  Do they have the skills to
push software, patches, upgrades to a desktop without going to the
desktop? (Remote desktop doesn't count.)  Do they have the tools,
like psexec (they better, it's free), LANDesk, SMS, ZENworks, etc. to
manage 80-100 desktops / help desk staff?  Do you have the patience
to manage your end users expectations?  Take them from "I could have
done it by now!" to "a four hour turnaround is ok."

My point is, when you switch from supporting to managing* the
desktops it takes a different IT skill set.
-Eric

*You cannot manage users with admin access anymore then you can herd
cats (see <http://www.youtube.com/watch?v=Pk7yqlTMvp8> for more details).



Eric Case, CISSP  <ecase () Arizona edu>
Information Security Officer
College of Engineering   <http://www.Engr.Arizona.edu>
1127 E James E. Rogers Way Room 200
Tucson, AZ 85721-0020
Mobile Phone 520-275-6436