Here at the library, all staff computers are the property of the library. No
staff member are allowed to log on as an administrator! Not even our
technology manager or the library director. Only the Network Administrator
and his Assistant  are allowed to logon as administrators for the reason you
have described. 

Even though your staff think of the computers as there's they are not. You
should very quickly develop a policy and start enforcing it. 


I don't know if our policy is actually in writing or not? Back when we
started our network the library management team was opposed to putting any
staff policies in any writing. 


From: Library NT [mailto:[log in to unmask]] On Behalf Of Heckbert Jr,
Richard W.
Sent: Thursday, June 10, 2010 11:48 AM
To: [log in to unmask]
Subject: Staff desktop account security


Once again I turn to this list for its collective wisdom.


The university was recently the target of an orchestrated attack on desktop
machines that took us quite a while to clean up.  Add to that the recent
changes in MA laws regarding personal information and we are at a point
where we need to change the way we have done things.  In the past, we've
allowed people to run as administrators on their own machines.  Mostly to
facilitate software installs and program functionality.  We are now trying
to change user's accounts to regular accounts and not have everyone run as
administrators but surprisingly and I guess not surprisingly we are getting
push back from some of the upper staff here.  Does anyone have any
documented best practices where they do not allow people to run as
administrators on their own machines?  If not, what is everyone doing as far
as account privilege levels on staff machines.  Do you run as regular users
or do you allow them to run as administrators?




Rick Heckbert
Library Systems Adminsitrator
Tisch Library
35 Professors Row
Tufts University
Medford, MA 02155