Administrative Access On Windows Endpoints
-
@BRRABill said:
So, I understand the concept. I was just wondering how many of you leave the default settings for non-admin users, or if you tweak them a little bit to stem some of the calls you get from your users.
No admin access for anyone, even admins don't get to "run as admins" day to day. Every time that this feels annoying to you is a time that malware could have gotten root access silently.
-
@BRRABill said:
What's strange is some stuff doesn't ask for permission.
I guess that is how it gets installed into the system.
For example, I just installed Evernote, and it did not ask.
Because it doesn't do anything that requires escalated privileges. You only need admin access when something needs to act as the admin. Tons of things don't need it.
-
So some thoughts that I think play in...
- Admin access is dangerous, exposing it exposes your system. Even IT folk need protection from this, it is completely unreasonable for end users to really know what to install, when to install it, track licensing, know what is and isn't malware, etc. Giving them admin access is just bad for so many reasons.
- While installing lots of software requires admin rights, it does not mean that the end user needs to have those rights. LANDesk, Chocolatey, scripts, etc. can handle this task without needing to give the end user blanket admin rights. There is nothing wrong with end users installing their own software, that's a different issue than giving them admin access.
- Why is this painful? What is going on that people are adding and removing software so often that this even gets mentioned, let alone bubbles up as a concern? What process is happening that makes this happen more than, say, once a month per person?
- Why is requesting software from IT painful? What makes the installation from IT not so easy that they care to be doing it themselves?
-
Why does deleting a shortcut off the desktop require escalated privileges?
-
@BRRABill said:
Why does deleting a shortcut off the desktop require escalated privileges?
If it is put there by the admin and privilege isn't transferred to the users, of course it would require that.
-
Look at the file permissions of the short cut.
-
@scottalanmiller said:
If it is put there by the admin and privilege isn't transferred to the users, of course it would require that.
I guess.
I mean I don't like that stuff on my desktop, but it's kind of personal prefernce. I don't want calls because a user is tidying their desktop.
-
@BRRABill said:
desktop, but it's kind of personal prefernce. I don't want calls because a user is tidying their desktop.
Then don't? If it's company standard apps they get the shortcuts it's not the end users choice. They can delete their own stuff all they want. If they are that focuses on wanting to delete desktop icons for apps the company provides then their manager needs to assign them more duties so they don't get bored.
-
Haha ... I'd be the one doing it because I have OCD and shortcuts on the desktop annoy me!
-
Because the shortcut is not on YOUR desktop.
FFS this is not that hard, are you IT or not? This is basic Windows operation. If you install Chrome with admin rights, then it will put the shortcut in the public desktop at
C:\Users\Public\Desktop
. That location is admin restricted.Here is what my office desktop looks like.
-
@BRRABill said:
@scottalanmiller said:
If it is put there by the admin and privilege isn't transferred to the users, of course it would require that.
I guess.
I mean I don't like that stuff on my desktop, but it's kind of personal prefernce. I don't want calls because a user is tidying their desktop.
I don't like them either and don't want them on user's desktops... so don't put them there. If users want a shortcut, let them make their own rather than forcing it as the admin.
-
@JaredBusch said:
FFS this is not that hard, are you IT or not?
Finally, an acronym with some profanity in it!
I think I've just been doing things "my way" for so long, I forget the way things are supposed to really work.
I've said many times that ML has been a real eye opener. I ain't kidding!
-
In thinking about this topic, I too was wondering how BRRABill hasn't run into this admin issue long ago.
But then I recall that he said that he and all of his users run as local admins since the beginning of time. and well, of course, if you've never not been a local admin, then there's never been anything you couldn't do. So why would you know about it?
With the advent of UAC, some things are a little more in your face making you more aware that you are using admin rights, but that anyone should really understand that these UAC prompts means this shouldn't just be assumed either.
it's like Scott's RSAT bump-upist. Running into IT personaly who've never heard of it, let a lone used it.
-
Deleting items from the public desktop since Windows 7 for certain, and probably Vista has popped a UAC. So even if you are a local admin, you still had to click through a UAC to do it.
-
@Dashrender said:
In thinking about this topic, I too was wondering how BRRABill hasn't run into this admin issue long ago.
Yeah, we are discussing this offline. More or less, he's never run as or used a Windows user account, only admin ones, and I think by extension, only managed ones where the "users" were admins, too. So the common end user scenarios that we have a hard time imagining not having seen have never come up.
-