[unisog] Defending Administrative Rights policy

Alan Rothenbush alan at sfu.ca
Thu Oct 4 17:41:35 GMT 2007

On October 4, 2007 08:36 am, Martin Sapsed wrote:

> a) format floppy disks (I kid you not!)

We haven't bought a machine, either for staff use for a lab, for almost five 
years now.  

The only need to _format_ a floppy is to then copy data onto it, and a $10.00 
1GB USB key seems a much better solution.

> b) install printer drivers for the random cheap printer they've just bought

If a person buys a printer without first getting input from my support guys, 
their Helpdesk request to install the driver software is placed at the very 
bottom of the queue, given the lowest possible priority and occasionally left 
there longer than necessary.

Cheap crappy little printers are one of the banes of my existence and 
supporting them takes a disproportionate amount of time to the "savings". 

I see this as a department dumping one of their costs onto my department; 
saving 20 bucks on a printer only to burn up hours of my guys time supporting 
it over its life.

> c) install random bits of software

We don't install "random bits of software".  We install a standard 
productivity suite on all AD'd machines (through startup scripts and a 
homebrew clone of SMS) that's now up to over 40 different programs.  Not all 
staff get everything, the PeopleSoft developers getting more tools than the 
staff in general.

Should a user "require" (their words) some other piece of software to "do 
their job", I insist upon a needs analysis and a followup investigation, 

. is it actually necessary or merely desireable
. is the functionality provided by some already installed software (I recently 
turned down a request for Picasa and pointed them to Office Picture Manager)
. are there security implications
. might there be a wider group of users who need this, and if so, is this 
particular program the best choice for all interested
. can we install/patch/upgrade the software via our standard means
. does it conflict with our existing software suite in some way

An email saying "I need this installed" is usually deleted out of hand.  

An email saying "This is the job we do, this is the problem we're having, this 
software seems like it might help us out, what do you think ?" results in 
pretty immediate action on my part.

> We also have laptop users who *need* admin rights so they can do any of
> the above when on the road.

Floppies of course are ignored.

Emergency software installs on the road are almost certainly poor planning on 
the part of the user.  We have slowly but surely drummed into the user 
community that before grabbing a notebook and running off to another country 
for a month, they _must_ sit down with a support staff person and describe 
their needs.  It is then the responsibility of the support person to ensure 
that those needs will be met on the road, supplying what training is 

When this meeting happens, as it almost always does now, we have no problems.

I believe that this is the most effective use of the support staff's time, and 
they have the hours in the day to do this because they're not wasting time on 
$50 printers.

I am very hard core about the concept that poor planning on their part does 
not constitute an emergency on ours.  It has been a struggle, but pretty much 
everyone now sees the process as a joint effort to get the university's 
business done.

Having said this, legitimate emergencies do occur.  Our first line of action 
is a remote login via RDP (whenever possible), followed by a Remote 
Assistance session, followed by giving up the Admin password, although we 
have only had to do this once.  (And on that one occasion, the user screwed 
the machine up so badly that she was unable to use it for more than day 

Printers, though, are another issue, one for which I have no good answer, only 
bad ones.  Users with notebooks who want to print at home usually have to 
bring the printer in for one of our staff to do the install.  With increasing 
frequency, the printer must be actually attached before the software can be 

On occasion, we'll create a new AD account, manually add it to the admins 
group, log on with that account, log off, power down and then delete the 

The user can then take the machine home, log in with the admin account and 
install their printer.  When they come in the next day, that account is 
invalidated and so no more admin access.

> I'm curious as to how the sites which don't give out admin rights at all
> deal with these issues? Are your admins running around installing
> printer drivers etc? Are you making work for yourselves??

This is, I agree, "work for ourselves", but we think it less work than the 
alternative; cleaning up after novice users who screw things up.


Alan Rothenbush
Academic Computing Services
Simon Fraser University
Burnaby, B.C., Canada

  The Spartans do not ask the number of the enemy, only where they are.

                                    Agix of Sparta

More information about the unisog mailing list