Board index » delphi » Help!! They want to take away our Local Admin rights!!

Help!! They want to take away our Local Admin rights!!


2005-03-12 03:32:25 AM
delphi54
It looks like the "powers that be" are considering taking away Local
Admin rights from developers here at work. It has really ticked me off,
and I can not even see straight right now. Seriously -- the {*word*76} keeps
rushing to my head and I honestly can not see straight! it is kind of
funny, actually. But not really...
I scanned the newsgroups for some other threads on the subject, and
there are plenty. Unfortunately they all are "preaching to the choir." I
need reasoned, non-emotional responses to the following questions my
boss just asked:
1) What are the reasons we (developers) need to have Local Admin
privileges on our Windows 2000/XP workstations?
2) What would the impact be if we did not have these privileges?
As I said at the top, I am so ticked that all I want to do is yell
"BECAUSE IF YOU DON'T, I will GET THE PRIVILEGES MYSELF!" That, of course,
would be counter-productive <grrrr>. So I was hoping maybe some of you
could help with the kinds of answers that might sway PHBs.
Anyone got any ideas?
-Dan
 
 

Re:Help!! They want to take away our Local Admin rights!!

Quote
1) What are the reasons we (developers) need to have Local Admin
privileges on our Windows 2000/XP workstations?
If you don't know why you need admin rights, then you likely don't need
them.
Seriously though, let them take them away. Then bug them daily when
you can not do what you need to do. you will eventually get them back.
--
Jason Southwell
www.arcanatech.com
Delphi & IntraWeb Components
Consulting and Contracting
Incident Based Support
 

Re:Help!! They want to take away our Local Admin rights!!

"Jason Southwell" <XXXX@XXXXX.COM>wrote in
Quote
>1) What are the reasons we (developers) need to have Local Admin
>privileges on our Windows 2000/XP workstations?

If you don't know why you need admin rights, then you likely don't need
them.

Seriously though, let them take them away. Then bug them daily when
you can not do what you need to do. you will eventually get them back.
For my apps, I often need read/write rights in the HKLM registry, and
read/write directory access to different windows and documents folders
(especially things like All Users\Application Data and the like. Without
local admin, I can not change those settings or files. Unfortunately, access
to those folders and registry keys is the primary thing they are wanting to
restrict by removing your local admin priviledges. So in the end, I think
the advice above is correct. Call the IT staff that is doing this to you
each and every time you need access. Document each call, including the
time it takes for response and resolution. Then take it to your boss at
the end of the first week.
Jeff.
 

Re:Help!! They want to take away our Local Admin rights!!

Jason Southwell writes:
Quote
If you don't know why you need admin rights, then you likely don't
need them.

Seriously though, let them take them away. Then bug them daily when
you can not do what you need to do. you will eventually get them back.
This works for lots of things. An IT person at one of the customers we
do the most work with once wanted to turn off our connection to them.
We let him, the next saturday we where going to do some work it was 9am
here 7am there. We called him on his cell phone waking him up. He
turned the connection back on and never turned it off agian.
 

Re:Help!! They want to take away our Local Admin rights!!

Dan Thomas writes:
Quote
1) What are the reasons we (developers) need to have Local Admin
privileges on our Windows 2000/XP workstations?
Best argument I can think of is to install any updates for
component/utilities you use as essential part of your jobs.
To be able to access the registry to confirm that no issues of registry
contamination are going on, eg, it works correctly under various user
levels, eg admin, power user, pleb and everything works as expected.
To be able to write to files in the program files directories.. for
compiles.
To be able to disable services to test different issues that may arise
To install/uninstall/stop/start services that you create
To be able to complete{*word*222}over your system so they may need to
rebuild it.. (ok, dont add that one)
(Actually you dont need admin rights but its just simpler than putting
all the specific permissions on that you do need)
 

Re:Help!! They want to take away our Local Admin rights!!

Liz writes:
Quote
To be able to complete{*word*222}over your system so they may need to
rebuild it.. (ok, dont add that one)

(Actually you dont need admin rights but its just simpler than putting
all the specific permissions on that you do need)
Oh and to install any com components you write.. as while you can setup
com to allow you, its just.. well easier as admin
 

Re:Help!! They want to take away our Local Admin rights!!

Post back, to as many admins & managers as you can, the following:
'I note with interest that local admin privileges are to be withdrawn from
developers. I welcome this long-overdue change and the increased clarity of
control and responsibility this brings. Could someone please clarify the
following points:
a) What number should I book to while waiting for admin support during
working hours? Obviously, this should not come out of my project or
overheads. It must be booked to system admin.
b) Similarly, we all need an admin number to book to for those periods spent
idle while waiting for the sysadmins to fix the buggy installs they loaded
the previous day in an attempt to give me features I do not want.
c) Rgds. evenings, weekends and holidays when I may have urgent work to do -
please distribute the pager and phone numbers of all admin staff and their
managers. Obviously, I am willing to wait a reasonable time for support,
but, if I am doing overtime, I'd not want to waste company funds by
playing solitaire/downloading MP3s for too long, so I will go home if no
prompt support is forthcoming. Obviously, in keeping with the new policy, I
will no longer accept phone support of the 'I'll give you the Admin password
now so you can continue working & change it on Monday' kind. Again, an
admin booking number should be available to correctly charge any costs
generated by project delays.
Rgds,
Martin
 

Re:Help!! They want to take away our Local Admin rights!!

Andrea -
I appreciate your comments but you're not helping <grin>.
Seriously though, I don't need an SA to protect me from myself. If I'm
stupid enough to do some of the things you've mentioned, then I deserve
what I get, and I can not complain to the SA for help. I wouldn't anyway,
because invariably I end up spending more time teaching them, than
getting any real help. We developers are truly the "experts" here.
As for updates, we're supposed to test them before they go out to the
rest of the users. In other words, we are *supposed* to install them
before they're "approved".
As for you last comment, that we might look "more equal" than others,
that's just too bad. We *should* be treated differently than others. We
have to work 24/7 when critical problems come up. How many other people
have to do that? And who do they call when some bigwig can not log into
one of our applications because he can not read the error message that
tells him his password has expired? Us. In short, we *are* different
than everyone else. We have more responsibility, and we require more
privileges.
It's like this: I work for a large company. We have rules for appearance
that include short hair for men (don't raise a stink about this -- if
you knew what company I worked for, you'd understand). However we have a
group of people that are usually referred to as "talent". These people
can look however they want. Ponytails for the men are common. Does this
bother me? No! They're the only ones who can do what they do, so they
deserve to be prima donas. And we're the only ones who can do what we
do, so we *should* be treated differently than everyone else.
(Yes, you touched a nerve <grin>).
-Dan
Andrea Raimondi writes:
Quote

IMHO: it all depends on the kind of applications you're doing.
Let's see it from the SysAdmin POV for a minute, ok?

SysAdmins are responsible for how the computers and devices at work.
This means that, in general, if you have admin rights on the machine,
SysAdmin is not responsible any longer, but he's responsible by
contract, so he can not just "leave it" as it is.

Second thing: Windows is a weird beast, you can potentially install
anything with Admin rights and, no, I am not talking about viruses and
spyware, I am reasonably confident that you're smart enough to avoid
that. Let's take another example for this kind of issue: say that you
install OpenOffice instead of MSOffice. Now, you will most likely write
letters and save them in Word, but once or twice a month you might
forget that and save in OOo native format and nobody else is able to
read what you're sending.
Another example for this matter: say you want to use Thunderbird as
email client. Thunderbird has a junk detection algorithm that
automatically moves junk mail to a dedicated folder. It happens more
frequently than not, to have colleagues who send lots of emails in
varying formats, mainly HTML, which TB regards as junk.
Don't forget that OE sends HTML mails by default. This means that,
default, TB will mark and move messages in the Junk folder.
I think you get the end of the story. Be aware: the algorithm
scans email by email, so some might go into the junk folder,
others might not.

Updates: having admin rights would allow you to install *any* update,
even those that are not "officially" approved, i.e. WXP SP2 and/or
dotNet.

To these things, add also the fact that probably you developers are the
only ones to have admin rights on the local computers and this to a
"manager" might look like you're more equal than others(maybe, more than
themselves in some cases), consequences are easy to guess :D

Opinions?
 

Re:Help!! They want to take away our Local Admin rights!!

I'll certainly do this if I have too. Right now, I am trying to keep from
getting to that point.
Joe Bain writes:
Quote
Jason Southwell writes:


>If you don't know why you need admin rights, then you likely don't
>need them.
>
>Seriously though, let them take them away. Then bug them daily when
>you can not do what you need to do. you will eventually get them back.


This works for lots of things. An IT person at one of the customers we
do the most work with once wanted to turn off our connection to them.
We let him, the next saturday we where going to do some work it was 9am
here 7am there. We called him on his cell phone waking him up. He
turned the connection back on and never turned it off agian.
 

Re:Help!! They want to take away our Local Admin rights!!

Liz -
Thanks -- those were helpful!
-Dan
 

Re:Help!! They want to take away our Local Admin rights!!

Martin -
Very funny! I think I will take the spirit of what you said, but probably
not the exact presentation <grin>.
-Dan
Martin James writes:
Quote
Post back, to as many admins & managers as you can, the following:

'I note with interest that local admin privileges are to be withdrawn from
developers. I welcome this long-overdue change and the increased clarity of
control and responsibility this brings. Could someone please clarify the
following points:

a) What number should I book to while waiting for admin support during
working hours? Obviously, this should not come out of my project or
overheads. It must be booked to system admin.

b) Similarly, we all need an admin number to book to for those periods spent
idle while waiting for the sysadmins to fix the buggy installs they loaded
the previous day in an attempt to give me features I do not want.

c) Rgds. evenings, weekends and holidays when I may have urgent work to do -
please distribute the pager and phone numbers of all admin staff and their
managers. Obviously, I am willing to wait a reasonable time for support,
but, if I am doing overtime, I'd not want to waste company funds by
playing solitaire/downloading MP3s for too long, so I will go home if no
prompt support is forthcoming. Obviously, in keeping with the new policy, I
will no longer accept phone support of the 'I'll give you the Admin password
now so you can continue working & change it on Monday' kind. Again, an
admin booking number should be available to correctly charge any costs
generated by project delays.

 

Re:Help!! They want to take away our Local Admin rights!!

Dan Thomas writes:
Quote
Thanks -- those were helpful!
Im usually the one in the middle of a developer vs ITS war .. as I
kinda often do both... :)
I know the pros and cons of most aspects of this argument :)
Just as managers are lead to believe that you can hack the world using
ping, (I kid you not), a lot of ITS managers believe that devlopers
spend most of their time deliberately killing PCs and making them
rebuild them.
I dont know about your IT department, but, a trashed machine where I
used to sit in the middle would take one of the 1st liners generally 2
days to fetch, rebuild, reinstall.. Which isnt acceptible.. so, I came
up with VMware.. and saved the company fortunes, less kit was needed as
there was no need to have multiple machines, and images could be kept
on CD and copied back if people messed up that bad. (see below)
There are otherways round this.
The other way to approach it is to get the comapny to buy you VMware so
that you can do all your testing and faffing in a controlled
environment off the core network. It also means you can store a vast
number of environments and use client specific builds etc to do the
testing on, exceedingly useful (and v5 due out soon, really ROCKS!)
Provide you with 1 machine to do core business aspects, eg, standard
Email, general paperwork etc.. And another machine on a different
network segregated off, which you do your own admin on it, and never
the twain shall meet, and the dev environment is support and owned
entirely by the developers but little aid will be given to it when you
mess up.
 

Re:Help!! They want to take away our Local Admin rights!!

In article <XXXX@XXXXX.COM>,
XXXX@XXXXX.COM says...
Quote
Post back, to as many admins & managers as you can, the following:

<snip>
You've been reading BOFH again!
www.theregister.co.uk/2005/03/04/bofh_2005_episode_7/
--
John
Life is complex. It has real and imaginary parts
 

Re:Help!! They want to take away our Local Admin rights!!

Dan Thomas writes:
Quote
Anyone got any ideas?
Personally, I'd accept this under only one condition:
* Give me a virtual machine with local admin rights.
IMO, as a developer it is essential that you have local admin rights
because you will run into issues from time to time that relate to
permissions. They may even be as simple as installing component updates
or any other installation related activity. Others have provided good
points in these areas so I will leave it at that...
Cheers,
Kevin.
 

Re:Help!! They want to take away our Local Admin rights!!

John Wester [Group W] writes:
Quote
You've been reading BOFH again!
I remember the original BOFHs.. And getting an Email from the guy who
wrote them, and my realisation around that time as to how many of the
bad BOFH things I had done.....