Posted on 04-04-2011 09:43 AM
I guess this would be more of a question for corporations rather than
schools, but anybody is welcome to chime in.
What type of criteria do y'all use to say who can have admin rights on
their mac vs who cannot?
John Wojda
Lead System Engineer, DEI
3333 Beverly Rd. B2-338B
Hoffman Estates, IL 60179
Phone: (847)286-7855
Page: (224)532.3447
Team Lead: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>
Mac Tip/Tricks/Self Service & Support <http://bit.ly/gMa7TB>
Posted on 04-04-2011 10:12 AM
The only "good" reason for a user to be an admin on his machine is if he
On 4/4/11 11:43 AM, "Wojda, John" <John.Wojda at searshc.com> wrote:
needs to install software. Our policy is that IT manages applications and
software licenses, so this isn't an issue for us.
Users don't need to be admins to add printers nor do they need to be
admins to connect to wireless networks. These are the typical reasons
we've been given for requests to be admins.
We have only one group with the need for admin rights on their Macs at our
company. They are developers working in Perl, Ruby and other applications
where they need access to install/update their development environment.
--
William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492
Posted on 04-04-2011 10:33 AM
Indeed, it works similarly here. I've been pushing to get the PC users similarly restricted, as it would help a LOT with the support. They seem to be considering it. I just hope they don't get too many problems from higher-ups (or if they do, that they realize that it's still an option to allow them to be admins without allowing everyone to be an admin).
Posted on 04-04-2011 10:51 AM
For us no one except development staff, which is 2, have admin rights, thou I allow technicians to elevate rights on a per boot basis, ie next boot the scope will remove admin rights , then via the policy logs I can investigator as too why they needed to Elevate rights
Criss Myers
Posted on 04-04-2011 10:58 AM
The default account for everyone outside of tech support (me and two
"Wojda, John" <John.Wojda at searshc.com> on April 4, 2011 at 11:43 AM -0500 wrote:
part-timers) is a standard (non-admin) account. For some laptop users, I
eventually change them over to an admin account after they demonstrate
responsibility and competence. They also understand that any system
modification that corrupts their computer or has any (detected) negative
impact on the network can result in loss of admin privileges and/or
reimaging of their computer's hard drive. No problems with this approach.
Yet. :-)
Jeff Johnson
Technology Coordinator
Glendale-River Hills School District
Glendale, WI 53209
jeff.johnson at glendale.k12.wi.us
Posted on 04-04-2011 11:21 AM
On the teacher configuration I deploy a local admin account for them to
use to install printers at home, install their own software and such.
Some departments will buy 5 licenses of a piece of software and give it
to 5 individuals. I would rather just have them install it than me
package it, create a policy for it, and then scope it out to 5 specific
machines.
Students never have admin rights, though they do love to hack the
machines and give themselves admin rights. So I do a dummy receipt
system to catch them.
-Tom
?xml version="1.0" encoding="ISO-8859-1"?>
Posted on 04-04-2011 11:48 AM
As part of our image we have an install group and a poweruser group, and reassigned rights in the authorization database, with the Admin group a member of the other two groups. All clients start with an standard user but it they have a request for admin rights to install software, or such, then they fill out a request form, and if approved they receive the install rights, but not the full admin. This has worked well for us as it keeps them from having access to things that require admin explicitly. When we need to distribute these rights we use casper remote, or configure a policy. An scenario we have done in the past is like, We give the install rights for a home printer install over a weekend, we then use a policy to revoke them on Monday morning. This has worked out well for us over the last two years. This way we keep the "Admin" rights down to a minimum.
Sean