Administrator Priviledges on local system.

  • Thread starter Thread starter Stephen O'Sullivan
  • Start date Start date
S

Stephen O'Sullivan

G/day forum,

Can you tell me what the best way is of setting a bunch of power hungry
developers on a system? They want admin rights, i don't them to have these
rights because that brings its own set of problems.

Bear in mind, these guys are Developers and need typical dev rights on their
systems.

Your thoughts.....
Regards,
Steve.
 
Developers who write code with an admin user token very often create
software that requires an admin user token to run, and the cycle continues.
As soon as we developers stop running as admins and see what it's really
like from a user perspective, then we can start hoping for change. I haven't
run as an admin on my local system for nearly a year now, and it hasn't
hindered my development a bit. What I do is keep an admin account, so I can
use runas if I need to do something that requires privileges, but I would
never run as admin for my day to day account.
 
Chris,

Does that not defy the whole purpose of controlling the administrative
rights? If a user has an account that is an administrator on a local system,
won't they be tempted to use it personal customisation of the system and
environment they develop on? I know what your saying and i've had many the
argument with the software engineers here. And as you've just pointed out,
run everything from a command shell that has been runas a sys admin.

From the Active Directory admin perspective, that allows users to control
what settings they use. My main concern would be network card settings,
where default gateways can be changed, metrics, dns, etc, and the
installation of unlicensed software. It does not reduce the Network/Desktop
admins total cost of ownership of the system.

Regards,
Steve.
 
So don't give them the password for the admin account. Developing in VS.NET,
I almost never need an admin account. If I have to hit the way-back machine
to some old VS6 stuff, however, I sometimes need to get an admin login in
order to get some components registered or something similar. However, if I
didn't have an admin login, I would just call up somebody who did when I had
to do that.

Because there is such a preponderance of old software out there, you will
have to weigh the costs. Some older stuff requires admin intervention rather
often. If your guys are developing kernel mode code, it's going to be rough
if they can't get on as an admin. If your guys are developing web sites,
then they should almost never need to run as an admin. So, you have to
determine (based on what your guys are doing) which is cheaper: having guys
running to their desks to enter credentials, and then sit there and wait
until all apps with this user token have been killed; or the cost of your
developers doing stupid things that you then have to go in and fix. The call
will depend on what exactly your folks are developing. What I would do is
give it a try without giving out the password, and then dole out the
passwords based on seniority and trust if it becomes inconvenient. Maybe
have the dev leads own the passwords, so you can keep it out of your
department, and hold them accountable for whatever happens with their
credentials.
 
Thank you Chris for taking the time to post such a lengthy and informative
response.

Regards,
Steve.
 
Back
Top