People are more tech savvy than ever, and Millennials entering the workforce have grown up surrounded by technology. While these end users are more likely to be aware of the dangers of unfettered access to their work PCs and the internet, they can still do things that bog down their computers or even make them unusable. Some organizations help curb such problems by not allowing any end users to have admin privileges on their work computers. But while this can prevent problems, it creates more work for the IT help desk. It’s smart to periodically review your organization’s policies on end user administrative privileges, and perhaps change them if the benefits outweigh the risks.
Before end users are granted admin privileges, they must know the ground rules.
The Case for End Users Having User Accounts Only
When an end user only has a user account on his work computer, he can’t install software or change settings that affect the machine’s security. He can change the wallpaper, or perhaps choose the default internet browser. But he can’t install programs or do things that bring up a user account control prompt for administrative credentials. This is great for preventing unauthorized downloads and installs, and the headaches (like stacks of browser toolbars) that can result. But this level of control by the IT help desk has its drawbacks.
How Allowing Some End Users to Have Admin Privileges Can Help the IT Help Desk
If all end users are prohibited from having administrative privileges on their workstations, it’s up to the IT help desk to install software, for example, which can consume considerable amounts of time when a new application is being deployed to an entire department or the entire workforce. The IT help desk also takes responsibility for installing security patches, updates, and drivers, which can be time consuming.
You can allow end users (or selected end users) to have administrative privileges in such a way that relieves some of the burden on the IT help desk while minimizing the chances of end users overtly or inadvertently causing problems. This involves striking a balance between the restrictions of user accounts only and the risks of granting administrative privileges.
Setting the Ground Rules for End User Admin Privileges
If you allow end users to have administrative privileges on their machines, you must implement a policy about what is and isn’t allowed. This should be in writing, and end users must be educated on what the policy means. You should require that end users use a standard user account at all times, except when administrative privileges are required. Your policy should prohibit end users from disabling programs the IT help desk has installed, and it should prohibit installation of new software without approval from the IT help desk.
If your organization uses Windows 7 or 8, you can use the Group Policy Editor to disable access to certain Windows elements or select which elements you allow end users to modify. To do this, log in with the administrator credentials and type “gpedit.msc” in the Windows search box. The Group Policy Editor Administrative Templates folder in the User Configuration Menu lets you browse settings to determine what you should and shouldn’t allow access to. You can even block access to specific programs using the Group Policy Editor.
You can also use the Windows AppLocker to give you even more granular control over what end users can do. For example, you can block apps by publisher or file path, which can be used to block access to a digital download service if that’s a problem. The AppLocker feature works slightly differently in Windows 8 than in Windows 7, but there are workarounds that can help you implement the level of control you need.
What The IT Help Desk Should Never Allow
Even if it allows administrative access to end users, the IT help desk should retain control of security measures. Antivirus, encryption, and backups should remain in the hands of the IT help desk, because they’re too important to trust to even conscientious end users. The end user entrusted with her own encryption or backups puts your organization at significant risk. Not only could she neglect these responsibilities or make mistakes, she ends up controlling the data. An end user with sole access to important files is a security and business risk.
Whether to allow end users to have administrative privileges is something each organization must determine for itself. In some situations, the risks outweigh the benefits, but in others, the benefits to the IT help desk make a manageable risk worthwhile.