[mswindowsxp] Re: locking down (sort-of)

  • From: Jim Betz <jimbetz@xxxxxxxxxxx>
  • To: mswindowsxp@xxxxxxxxxxxxx
  • Date: Tue, 29 Apr 2003 10:08:24 -0700

  There really isn't any truly effective way to provide limited
local admin authority - in your environment.  Your best solution
is to not provide any admin authority at all.  If you can't live
with that (too much workload and not funded/staffed for the 
workload) then your only recourse is to use non-computer implemented
policies (the old "these are the rules you will live by and you are
playing you-bet-your-job if you break them") combined with LOTS of
education of your users.
  The education isn't really that big a deal - it is mostly a
matter of documenting what is and isn't allowed for them to do
and then re-inforcing that with repeating and repeating the
mantra over and over again (every time you talk to any user you
mention something or other about "the policy").

  BTW - just in case you didn't know this ... stuff like Gator and
Comet Cursor and other 'freebies' from the net are all various 
forms of spyware.  If you haven't attempted to bring your users
up to speed on the topic of spyware you should do so.


  Here are my 'basic rules':

  1) NO freebies from the web unless installed by I/S support
  2) No screen savers of any kind except the MS Blank Screen.
  3) All software installed by the user must be pre-approved
     by the support organization BEFORE installation.
  4) All 'standard' software installed by support (such as 
     office, accounting software, email clients, etc.).

  And then the blanket "this computer is for business related
  use only and any other use is not authorized and may result in
  your loss of your computer or job".


  Be on the lookout for users who "know too much too much for 
their own good" (and yours!).  The ones who are always asking
you about the latest and greatest buzzwords and who brag about
having a great system at home and want nothing less than the
same here at work - but when you talk to them it is clear that
they are just a problem waiting to take up a lot of your time.
Because they are willing to 'experiment' with their own computer
and change it all the time (and usually get into trouble frequently).
  These are the users who are most likely to also 'mess with' the
computer they use at work.  Often all you have to do is to get
them to understand how much time it takes you to fix the problems
and they will understand what is really happening and why they
should treat their work machine differently than their personal
computer at home ... sometimes a little 'delay' in when they
get the problem they created fixed can get their attention if all
of the regular methods have already failed (talking to them, etc.).


  AGAIN - the best practice is to not give users admin authority.  
If they need a program installed you will have less overall work if 
you go to their machine and do the install for them.  Overall this
will be less work in the long run - especially if you combine it
with a 'standard setup/preparation' that you do to the computer
before the user ever gets it (that includes the install of all
of the basic software).

To Unsubscribe, set digest or vacation
mode or view archives use the below link.


Other related posts:

  • » [mswindowsxp] Re: locking down (sort-of)