[unisog] Defending Administrative Rights policy
alan at sfu.ca
Thu Oct 4 17:41:35 GMT 2007
On October 4, 2007 08:36 am, Martin Sapsed wrote:
> a) format floppy disks (I kid you not!)
We haven't bought a machine, either for staff use for a lab, for almost five
The only need to _format_ a floppy is to then copy data onto it, and a $10.00
1GB USB key seems a much better solution.
> b) install printer drivers for the random cheap printer they've just bought
If a person buys a printer without first getting input from my support guys,
their Helpdesk request to install the driver software is placed at the very
bottom of the queue, given the lowest possible priority and occasionally left
there longer than necessary.
Cheap crappy little printers are one of the banes of my existence and
supporting them takes a disproportionate amount of time to the "savings".
I see this as a department dumping one of their costs onto my department;
saving 20 bucks on a printer only to burn up hours of my guys time supporting
it over its life.
> c) install random bits of software
We don't install "random bits of software". We install a standard
productivity suite on all AD'd machines (through startup scripts and a
homebrew clone of SMS) that's now up to over 40 different programs. Not all
staff get everything, the PeopleSoft developers getting more tools than the
staff in general.
Should a user "require" (their words) some other piece of software to "do
their job", I insist upon a needs analysis and a followup investigation,
. is it actually necessary or merely desireable
. is the functionality provided by some already installed software (I recently
turned down a request for Picasa and pointed them to Office Picture Manager)
. are there security implications
. might there be a wider group of users who need this, and if so, is this
particular program the best choice for all interested
. can we install/patch/upgrade the software via our standard means
. does it conflict with our existing software suite in some way
An email saying "I need this installed" is usually deleted out of hand.
An email saying "This is the job we do, this is the problem we're having, this
software seems like it might help us out, what do you think ?" results in
pretty immediate action on my part.
> We also have laptop users who *need* admin rights so they can do any of
> the above when on the road.
Floppies of course are ignored.
Emergency software installs on the road are almost certainly poor planning on
the part of the user. We have slowly but surely drummed into the user
community that before grabbing a notebook and running off to another country
for a month, they _must_ sit down with a support staff person and describe
their needs. It is then the responsibility of the support person to ensure
that those needs will be met on the road, supplying what training is
When this meeting happens, as it almost always does now, we have no problems.
I believe that this is the most effective use of the support staff's time, and
they have the hours in the day to do this because they're not wasting time on
I am very hard core about the concept that poor planning on their part does
not constitute an emergency on ours. It has been a struggle, but pretty much
everyone now sees the process as a joint effort to get the university's
Having said this, legitimate emergencies do occur. Our first line of action
is a remote login via RDP (whenever possible), followed by a Remote
Assistance session, followed by giving up the Admin password, although we
have only had to do this once. (And on that one occasion, the user screwed
the machine up so badly that she was unable to use it for more than day
Printers, though, are another issue, one for which I have no good answer, only
bad ones. Users with notebooks who want to print at home usually have to
bring the printer in for one of our staff to do the install. With increasing
frequency, the printer must be actually attached before the software can be
On occasion, we'll create a new AD account, manually add it to the admins
group, log on with that account, log off, power down and then delete the
The user can then take the machine home, log in with the admin account and
install their printer. When they come in the next day, that account is
invalidated and so no more admin access.
> I'm curious as to how the sites which don't give out admin rights at all
> deal with these issues? Are your admins running around installing
> printer drivers etc? Are you making work for yourselves??
This is, I agree, "work for ourselves", but we think it less work than the
alternative; cleaning up after novice users who screw things up.
Academic Computing Services
Simon Fraser University
Burnaby, B.C., Canada
The Spartans do not ask the number of the enemy, only where they are.
Agix of Sparta
More information about the unisog