I support and have implemented a strict policy at my district restricting all end users to a standard user membership in windows on our network. Here is why:
5-6 years ago when I started working for my district I came into a network in which there was no full-time tech on staff. All users had administrative rights to their computers and everyone was mad, frustrated and inefficient because of the technology problems. The majority of staff had computers that were relatively new at the time but they couldn’t do anything on the computers. Within the first 3 months of my employment the network had come to a complete halt due to Spyware, Malware, AdAware, Popups, Viruses, etc. This occurred not 1 time but 4 times. All 4 times it took the entire district network down for a minimum of about 1-2 full days.
This is an extreme story, but I use it to make my point. I’ve gone through it. I’ve seen first hand what happens to a network that allows end users to install whatever they want. But moreover it allows anyone else access to do whatever they want to your computers.
The removal of administrative rights was a difficult concept for some staff and still is for some. We implemented a procedure for getting software installed in which staff are asked to give us 2 weeks notice of the need for software to be installed. It was also explained that we understand there are circumstances in which 2 weeks is not realistic. We take requests and fulfill them the same day if we can. The 2 weeks is primarily for lab installations or other large implementations.
So… Why else do we “lock” down our computers? Is it because I’m mean? Is it because I don’t trust you as an employee or a user? Is it because I don’t like change or innovation?
Absolutely and unequivocally no to all questions. Whenever you implement a product it is a good idea to read the documentation from the manufacturer of the product to see what the “Best Practices” are for deployment. In researching with Microsoft no matter what version of Windows you are using the preferred method of user deployment is to not allow users membership to the Administrators group on the local machine.
This does mean that users will likely run into hurdles which may cause headaches and even discourage them from trying new things. On a daily basis some staff will want to install more software than others. The majority will not need to install anything. The amount of time saved not having to scan and fix infected computers should allow you to address these requests assuming you aren’t understaffed.
We have gone one step further and have created a user account that does have local administrative rights to all workstations in the district. Staff can make an installation request and then be given the account to login and install the software themself.
Another issue you run into is licensing. Most people fall into 3 categories when it comes to licensing.
- Those that don’t understand it
- Those that do understand it
- Those that don’t think it applies to them or education
The 3’s are the ones that can be a real liability to a school district. It is no secret that schools are scrutinized for everything they do now days. If you are non-compliant with your licensing you could be sued. Eliminating the ability for staff to install software reduces your risk.
There is a reason computers are “locked” down and it is not to stop innovation. There are casualties in many things we do and sometimes some innovation gets caught up and lost because of policies procedures and other organizational methods. As an IT Director I work to re-evaluate why we do what we do. Not everyone does and that is unfortunate.
Don’t ever give up on a good idea, but be respectful and patient and reasonable and you’ll usually get results, even with that stubborn tech guy who’s locked up in that secure vault they call a server room 24/7.