3

Been working a lot with local businesses who operate in a more casual manner. No Active Directory, no passwords, and free web browsing and downloading applications at will to where every computer is just different.

When and where do I draw the line? Do I flat out e-mail or make an announcement to all the employees about please do not download stuff? Should I take a more proactive approach and since it's my time I have to spend managing these systems actually locking them down and disabling the ability to download and install applications?

How do you do with the casual business? Do you take full control over and law down the law? Or do you define and write up guidelines for said business and hope they work?

An example of an issue is how IE gets filled with toolbars. They never are needed and should never be installed and I typically have to waste time on disabling such issues to increase load times and web browsing times.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Tiffany Walker
  • 6,541
  • 13
  • 53
  • 77

4 Answers4

6

You're being paid to admin these systems, right?

You can do a couple of things.

First, you can just live with it, and pocket the easy money. Of course you're going to burn out fast.

Second, you can tell your boss exactly how much money it's costing the company to allow the users to trash their systems. The result of that may well be that you get to lock everything down.

Some related questions:

Community
  • 1
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
4

It sounds like you're working as a consultant to more than one business. If they won't let you take steps to lock down configurations, then backups and imaging are your best hope.

If people are allowed to download and install applications and mess with their own configurations, data loss is a matter of when, not if. Get some sort of backups going to so that when you need to wipe someone's computer, you can restore their data.

Then, to make it easier to wipe computers and restore them to a known state, make use of imaging tools. There are plenty to choose from, both commercial and free. Find one you're comfortable with, and start imaging computers when you set them up. Then you at least get fairly quick recovery when someone's computer is messed up.

Ward - Reinstate Monica
  • 12,788
  • 28
  • 44
  • 59
  • Right now using Windows Backup and just copying over e-mails and other user documents to keep the backups small and sent to a local Windows server. Seems to work. The most annoying part is complaining of slow systems and most of the time its probably just due to the running services and stuff installed. – Tiffany Walker Jul 31 '12 at 02:38
2

Revoke admin rights. Make users limited users, and keep the administrative account details to yourself. Much more of a pain than it needs to be without AD, but the only way you'll get users to stop mucking up your systems is to remove that ability.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • I would other then one application needs admin powers. – Tiffany Walker Jul 31 '12 at 02:36
  • 1
    It's almost never the case that an app truly needs admin rights to everything; you can usually resolve it by giving full control over the program directory to normal users as well. Having said that, when I do run across such an app, I usually find it to be a better solution to have it `RunAs` (or the Sysinternals equivalent for 7/Vista) an admin service account and cache credentials. YMMV, but I've never seen any good come from letting everyone run as an admin. If you get pushback, try presenting a "this is how much it cost to have me clean up after admin users" report to management. – HopelessN00b Jul 31 '12 at 02:41
  • Yea, well this application is sorta poorly coded. I didn't know you could cache creds and still run like that under a normal user. Is the service that works like that from Sysinternals? – Tiffany Walker Jul 31 '12 at 02:44
  • @TiffanyWalker Most apps don't really need full admin access. Monitor with [procmon](http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx), or the like, and you may find you only need to adjust certain file/directory/registry ACLs. – jscott Jul 31 '12 at 02:45
  • @TiffanyWalker ShellRunAs (http://technet.microsoft.com/en-us/sysinternals/cc300361.aspx) Generally, I'll set up a "shortcut" that calls RunAs/ShellRunAs with the appropriate command line switches, enter the credentials once to get them cached, and turn the box over at that point. Almost anything to prevent limited users from making me clean up after them when they get admin rights. – HopelessN00b Jul 31 '12 at 02:50
2

Really, the route you take should be entirely driven by the business. If they see downtime due to reinstalling from toolbars as an issue then you have a task to do, currently it sounds (to me at least) that you're asking which route you should take but you're not even sure the business see's the issues you've highlighted as a problem.

imho, you'd do well to gather together evidence of the amount of time (and money!) they are spending on your services through these practices, and float the notions of how to fix such matters. You can steer them towards your way of thinking sure, but I wouldn't start mandating IT policies without the buy in from the business that there's an issue to resolve.

Sirex
  • 5,447
  • 2
  • 32
  • 54
  • This. C Levels prefer summaries, easy to digest numbers. Track work diligently and you can build your case for changes. – jscott Jul 31 '12 at 02:36
  • Yea, I'm considering that but more along the lines of educating the employees to not download stuff after cleaning up their systems. I'm trying to keep it free to where they can use itunes and stuff for their mobile devices but just need to teach them to not download other applications unless checking with me/us the business. – Tiffany Walker Jul 31 '12 at 02:42