« A Volunteers Thoughts | Main | reminder: Church IT Talkcast today at 2pm »

December 01, 2006


Feed You can follow this conversation by subscribing to the comment feed for this post.

Noooo - you don't need counseling! Say YES to all admin rights :)
Really Jason, I assumed you already made us your main priority! I don't think I have ever had to wait more than an hour when I had an issue.

Stay away from admin rights. Too many ways for malware to get on a system today. Even "good" and valid sites get compromised. Not to mention the things that get messed up when users start installing software (they won't ask no matter how "nice" you tell them to). Making users top priority is a great idea. Instead of a "drop everything" policy make it a 30 minute response time. Building your own PC's has many merits, but so does having someone else responsible for HW.

Quick background on us... We're a church and school, approximately 450-475 PCs, 250 email accounts, and 1400 users (church staff, school staff, and students), 4 physical locations, and 4 full-time network staff. re: admin rights, We obviously don't give students admin access to their own machines, but we do give teachers and church/school staff admin rights on their machines. We have good filtering and blocking and virus scanning, so it generally isn't a problem (though sometimes malware does get through, usually less than one occurrence per month). re: direct end-user support, this is something we already do. We have all users call one number, the HelpDesk, and whoever is in (and not already on a call) can pick up the ringing line, and offer support. We have VNC on all workstations, and can pull up their screen instantly to troubleshoot/fix. Word of warning, some users may tend to abuse the HelpDesk, calling repeatedly for simple things that the Help menu in Word could be used for. All in all, an instant HelpDesk is nice, as usually 90% of the issues that come up can be solved in 2-3 minutes, rather than listening to a voice mail, calling the sender back, leaving them a voice mail, etc.etc. re: building your own PCs, since we tend to buy in batches (we're looking at replacing 2 labs, around 50 PCs), it doesn't make sense for us to build our own. We all have extensive experience in building PCs, but there's just too much other stuff to do.

Hrm...here is the way I see it.

Admin Rights for Users = Chaos

When I came to Sunset Presbyterian, all users had admin rights and the entire network was crawling with malware. Most of them were rootkited so we had to wipe them anyways but when I removed admin rights I had less of an issue with security of my network.

Think of it, the more chance the network or computers are down, the less benefit they will get from that technology. My opinion, you have made the right decision of making the users #1 priority and the best thing you did to accomplish that was removal of admin rights.

I inherited a facility with custom built PCs. It was back when everything wasn't integrated on the motherboard so the challenge I found was that each had machine had unique hardware. It made tracking drivers etc. a challenge.

It's generally not good to make "what if" decisions after smoking chemical compounds of dubious origin. ;-)

Just say NO to drugs, local admin rights and home-brewed PCs.


1. Admin rights. Don't do it. The consideration should work the other way. No one gets it unless they need it, rather than everyone gets it unless they abuse it. If someone really does need it, then give it.

2. Direct end user support. You'll be a hero for a while, but be careful about creating an expectation and then being unable to sustain it. We lost our best tech support guy back in April of this year. After he left, we discovered he was soooo good, he actually created some unhealthy co-dependency. I mean, why bother to learn the tools you're using if Jon is instantly available to answer all questions and solve all problems? Also, we find that some staff are not sufficiently tech-savvy to effectively do certain parts of their job responsibilities. Ridiculous support won't solve that problem, it will just cover up the problem. It's better to do ridiculous training than ridiculous support.

3. Building your own. Your reasoning is good, however ... A lot of us had the problem with GX270 motherboards and the bad capacitors. That sounds like a knock on Dell until you realize they've come out and replaced every one. What if you bought a batch of 50 motherboards from Intel that started showing problems two years later? That would be a SERIOUS bummer.

Admin rights for users is the biggest reason why Windows is so insecure. WindowsXP Home edition comes setup like this by default. It's a total disaster! If you want to spend the rest of your life cleaning malware up then by all means give users admin rights.

As for building your own, I would say do it, but in a limited capacity. At my day job we build all our servers but buy prebuilt for all the desktops. Additionally, if you're adept at building systems (which you apparently are), then you could do away with any extra hardware support contracts and manage the hardware issues yourself. We buy our desktops in small batches (i.e. 7-10) so we don't have to worry about 50 of the same motherboards going bad all at the same time. We do about 2 rollouts per year so it takes 3-4 years to cycle through the building.


I understand your thoughts on Admin rights but as others have said, your opening yourself up to big problems. Don't do it.

Regarding pc building...I would say do it for special cases. I have and always will build my own video editing machines and servers. I know I am putting quality parts into them and building them correctly. For your "droid" machines (staff/public machines) I would say keep buying them. You need to factor your time to build 50 new computers compared to buying 50 from Dell. As others have mentioned, Dell and the like will stand behind their products. I would say its a good idea to build critical systems like your servers...your A/V folks probably build or customize their own systems.

Good luck with it!

Admin rights: I think you CAN be successful with giving admin rights. You might decide to "test-drive" your idea with laptops-only to start. In most cases, this is where each user having the ability to install things like printer drivers for home-based equipment, and family-oriented software can be really handy for those spontaneous computing times.

Of course, having totally updated anti-virus and anti-malware software is critical to allow this to be successful. Regarding preceding comments about disasters in this area because of granting admin rights: my experience is that those opinions WERE completely valid a couple of years ago, but within the last year or two, the anti-malware solutions have become SO much better that the risk has diminished to a level so low that I only run into it about once a year.

OK, my team has had a lengthy discussion and it's clear: YOU ARE NUTS! But, I guess that's not a big surprise to anyone.

Admin rights: I don't want to insult your staff, so I'll insult mine! :-) When our users had admin rights, we had lots of spyware problems, lots of "questionable" software licensing, and a bit of virus issues. (with admin rights, users can turn off AV!). We took away admin rights and the problems went away. I don't think I want to g back. Interestingly, we've just had a Microsoft employee suggest the same thing to us, because "that's what Microsoft does." So, does it make you feel good that your thinking is in line with Microsoft's?

Improving End User Support: I may be in agreement with you here, with a few caveats. In terms of "something is broken, let's fix it" I think you're on to something. I'm not so sure I can agree with jumping to resolve every "issue" as too many issues are really requests which maybe shouldn't be quite so instantly resolved. Acknowledging requests nearly instantly and setting good expectations -- great place to go!

White box PCs: Who's the "we" who will be building and supporting those boxes? If you can keep a stockpile of standard machines, and you really have the capacity to manage it, this could be interesting. I want to watch how this works our for you...

Admin Rights: Only my assistant and I have local admin rights on our box. This does not include our 4 Macs and boxes not connected to the network. When I started here all users were at least a power user, most were local admins, and I even had 3 Domain Admin secretaries. To be short we had an absolute mess. We had viruses, spyware, unlicensed apps, and no standard desktop configuration that makes troubleshooting so much easier. Having spent much time resolving this issue and I would hate to go back. We are using BeyondTrust Privilege Manager www.beyondtrust.com (formerly DesktopStandard Application Security) to manage the privilege level of our end users. All users are limited users but when using a specific apllication I can make them a local admin for just that application. This application works by modifying the user's access token per process. Some examples would be to give a standard domain user the right to Add Hardware, run ipconfig /release or run an application with local admin rights. The best part is integrates with Group Policy so you can take advatage of your AD setup.

User Support: Currently we make end user support our top priority and it is not working. We are now looking to move away from this kind of support because projects take too long to accomplish with all of the interruptions and the staff expecting immediate support. This may work in other environments but it is not working for us.

White Boxes: We currently use whiteboxes built by M&A Technology here in Texas. I like the white boxes since they allow us to have more control over the configuration, cost less and since the parts are "off the shelf" we can fix them ourselves after the warranty (3 yr standard) expires, this is especially good in emergencies. The negative that I can see from our discussions on building white boxes is the "what if" my assistant and I are no longer working here. We should not guess what the qualifications of future staff members might be. So we felt it was in the church's best interest to buy systems that had some level of support for that just in case scenario.

Having worked for a 200 employee company with all users having admin rights and trying to support them with a 3 member helpdesk, I can tell you a little of where that leads. We had about 30 repeat customers who complained of their machines running terribly slow. We'd investigate and discover TONS of malware/adware, so we'd run tools to kill it all and uninstall it. In some cases we actually had to manually pluck it out of the registry because the best tools weren't getting it all. The machines would run great. The users would once again be happy. The bird would sing and the sky was a bit bluer. In about 2-3 weeks, the same users would call with the same complaint, and we would go thru the same fire drill again. Keep in mind that we were still having to support another 170 or so users with regular day-to-day issues (power supply failures, coffee in laptops, etc).

Additionally, we'd get bandwith issues and we'd be charged to find out who, what, where, and why. By using a few good tools, we'd find a couple of users were streaming audio/video and had loaded software on their machines to do such.

Then we had the promising young PC techs in training that would bring in CDs with hacked software that they wanted on their machines that had no business related purposes (video editing, photo editing, etc loaded on a pc for a customer service rep). Carefully consider this one. As an I.T. Manager, you are they person that Microsoft, Adobe, and the other software giants will hold responsible for illegal copies of software being installed on computers for which you are responsible.

Luckily for the helpdesk staff, our company had to comply with Sarbanes-Oxly and that goes into a lot of issues of responsibility and accountability on software licensing, etc. As soon as the SOX thing got underway, the VP of I.T. read the writing on the wall and has us demote the users to power user status. We cleaned all of the 200 machines for malware before locking them down. That coupled with some well implemented GPOs effectively stopped the users from having Admin rights and the number of helpdesk tickets per month dropped by 45%. (Yes, almost half!)

But, if you are really bored and need some busy work, impower the masses :)

At the same company, I had the pleasure of supporting white boxes assembled by a local store. Our experience was one of always searching for drivers as very few of the machines had identical components. Imaging was out of the question as you basically needed a seperate image for every machine as you could not establish a common base due to the differing components from box to box. The other issue we had was odd but understandable. Whenever we had a brown out or total power outage, 4-5 of the white boxes would experience a power supply failure where the Dell's didn't. So, if you go this route, invest in good power supplies and keep some spares on hand.

Help Desk as a Priority is a good thing, but bear in mind the short-term and long-term projects are important and deserve time and attention. How do you balance both? Dedicate some one to projects and someone to run tickets as hard as they can go till the burn out or drop? There has to be a good middle ground somewhere in this one. I've always tried to give the quickest and best service to the users I support, but when you're tasked with projects that are important to the whole organization, it becomes a huge stress point.

Just my personal experiences. Your mileage may vary.

The comments to this entry are closed.

My Photo


  • Jason Powell is the Information Technology Director at Granger Community Church. The views and opinions expressed here are not necessarily those of GCC ...
    or are they? Hmm???

Your email address:

Powered by FeedBlitz

Twitter Updates

    follow me on Twitter