Local admin privileges — to reinstate or keep locked away?

This has been on my mind a lot lately, mainly because I’ve been thinking about ways to better serve our users at NPCC and make things easier for them.  I know the local admin discussion is not a new one by any stretch, and you can also approach it from either side of the fence.  It really comes down to what you determine to be "acceptable risk."

This is what I’m kicking around in my head right now — what if I made each user a local admin for their respective machine?  Currently, only laptop users and one, maybe two desktop users have local admin rights to their machine. 

The advantages of giving back local admin?
1. Users can install software without having to ask me or wait on me to arrive on the scene.
2. Users can update programs on their own (Yeah I’m talking about you, iTunes) without my approval.
3. Those flash drives that require an extra piece of software before they mount (which I hate) can be used without my being on the scene.  In addition, the end-user can be walked through the process of reassigning drive letters if their flash drive somehow manages to interfere with our standard drive mappings. (boo)
4. Users can install fonts on their own without having to ask me.
5. If a user is done with a program and no longer needs it, they can uninstall it on their own without my help.

Now, the disadvantages and dangers of putting local admin back in the users’ hands?
1. Users can install software without having to ask, regardless of whether this software is legit or not.
2. To guard against the above, I will need to implement a monitoring solution that tracks software installation.  Spiceworks might be a good place to start with that.
3. I’m going to have to create a list of software that it supported by NewPointe IT; I don’t have the resources to support every piece of software that gets installed on a machine.  What happens then, when a user installed "unsupported" software and it wrecks their system?  That will need to be spelled out as well.
4. Any process that runs while the user is logged in will run with local admin privs.  Again, machine monitoring and logging will be a must.

I haven’t made a decision on this yet, but I’m very interested to hear anyone’s argument for or against users running with local admin.  What are you doing in your organization, and what factors led you to that decision?

Here’s how you know your week is going to contain 50% less sleep … one of your co-workers walks up to you and asks "Hey, did you know there’s a loud beeping noise coming from your server room?"

I should have gone home right then and gotten my jammies and pillow to prepare for the week.

As it turns out, the beeping was exactly what I thought it would be.  Another hard drive had bitten the dust in our would-be file server, PowerEdge 1400 that up to this point had been rock-solid for us.  With dual 1GHz P3 CPUs and 2GB of RAM, it would have made a great file server.  WOULD HAVE … except for that it had somehow managed to eat 3 hard drives before I could even put it into production.  However, this was the last straw.  3 dead hard drives in 2 months is enough to convince me that I don’t want this machine in the lineup anymore.

The plan this week was supposed to be simple.  Copy our file server and EMS Lite data to the PE1400 and bring it online.  After that, install a second array of disks in the PE1800 (where the file server once was), install Ubuntu on it, and begin using it as our VM host.  Why Ubuntu?  Because I’m budget-tight at the moment, and also because the current install of Win 2k3 Standard wasn’t utilizing all 8GB of RAM as well as the 64-bit CPUs that the 1800 now has.

This plan seemed pretty airtight, except I didn’t plan on losing server hardware just before making this transition.  However, the migration needed to proceed, and so I loaded a working RAID5 array (controller and drives) into a newer desktop box, threw Server 2k3 on it, and began the Robocopying all over again.  By now it’s Tuesday, and tonight I’m scheduled to take all the servers down and transition our PE1800 over to Ubuntu so it can be a big bad 64-bit VM host.  However, in the midst of copying file server data, I forgot about EMS Lite.

EMS our current calendaring software, and the only SQL (MSDE) database we have on-site that gets any end-user interaction.  It figures that this tiny-but-critical program would hold things up for about 24 hours while I learn how to successfully migrate the database from one instance to another without breaking things.  HUGE thanks to Jeremy Marx for taking time out of his day to help me through this.  (That’s the power of the CITRT community!)

That 24-hour period was not wasted though … during that time I did some test runs with Ubuntu 64-bit and also got our new file server straightened out.  By 3:30pm Wednesday (yes, it’s Wednesday now) I had been up for about 30 hours, but I was very please just to have conquered the EMS data issue.  I fell asleep around 4pm Wednesday and didn’t wake up until about 8am Thursday morning.

It’s now Thursday night (almost Friday morning) now, and I’m on the last leg of this transition.  All of our VMs are being copied over to another server, and once that’s done, I’ll take the old array out of our PE1800 and install a new array.  That new array will have Kubuntu 8.04 on it, and will server as our new 64-bit VM host.

I’m already starting to wear down a bit (I wouldn’t ever make it as a Bering Sea crabber), but I’m pumped to see this project finally coming to a close.  It took longer than I thought and it cost a few hours of sleep, but I feel like the benefit will be worth the trouble.

The Operations-to-Documentation ratio in IT and video, at least for us, is very high.  This bothers me.  I know I’ve got on my soapbox about it before, and then I always have this renewed resolve to go and make it happen.  Soon after, some new idea pops into my head for reconfiguring this or implementing that and BOOM…documentation is now out the window for the moment (again).

Now I know that as the person responsible for leading IT at the church, I should be looking out for new and better ways of doing things.  At the same time, the pattern I see myself getting into bothers me … especially in the wake of these past 2 weeks with all the health junk I had to wade through.  What if that was more serious?  What if I missed 3 months of work, rather than 4 days?

After thinking through some of this and talking it over with my boss, I decided that after finishing up a couple lingering projects, I am going to shift my focus temporarily and spend a high percentage of my time focused solely on documenting and training for the systems and processes we already have in place.  Of course, routine things like the helpdesk and backups will still happen, but I look to set aside maybe 1.5 days for that.  As for the length of this venture, I’m going to make the push for probably 2 to 3 months.

This definitely wasn’t how I planned to approach documentation at the start of the year, but more and more I’m seeing that we’ve just got to catch up with it.  While I know that we’re not going to just "arrive" in this area ever, I think this will be a big help in getting us where we need to be.

• At the jewler’s picking up Jess’s ring. #
• Back from the Jewler’s, and feeling weird again. If I’m getting sick again I’m gonna be unhappy. #
• Feels like an unbaked breadstick is stuck between my ears, which mean’s last week’s sinus issue is still present. Time for a Doc appt. #
• Managed to get an appointment in at my doctor today….before lunch, even. How cool is that. #
• Got my prescription from the Doc and I should be good to go. Finally time for lunch. #
• @ebuford - But if you *do* mess it up, @wantmoore and I are available for more work. #

Powered by Twitter Tools.

• I finally feel like I might be over the fever/stuffiness/dizziness that’s plagued me for the past week. #
• Been working on video documentation all day … getting ready to meet with a volunteer after lunch. #
• Great meeting with "other Dave" … it’s great when a volunteer tells you that they’ve found their niche and they love what they’re doing. #

Powered by Twitter Tools.

• I’m really loving the warm weather we’ve been having here lately. Too bad rain is on the horizon. #
• Going over purchasing card expenses … my least favorite paperwork. #
• Expense reports are done, and now so is lunch. Going to attempt to get some tickets closed this afternoon. #
• Maintenance installed special lamps in the IT work room, and they’re BRIGHT! I can probably grow tomatoes in there now. #
• Still haven’t gotten my head around how good it feels to have warm weather back. It’s been a long time coming. #

Powered by Twitter Tools.

• Testing turnaround for the twitter/IRC bridge. #

Powered by Twitter Tools.

• Getting New Grounds set up with Google Apps … first time doing this and it’s so incredibly simple to get off the ground. #
• @JasonPowell - Is anyone going to Ustream it? #
• Having lunch at Dee’s for the first time. I’ve heard great things, so let’s see how they measure up. #
• Just looked at tomorrow’s forecast. A high of 67?? You can bet I’ll be busting out the fishing gear. #
• Dee’s was fantastic, and they have Reubens on the menu! w00t! #
• Going up to New Grounds to demo Google Aps and play Scrabble. #

Powered by Twitter Tools.

• According to the thermometer, I am fever-free. w00t! #
• Feeling WAY better this morning… just a little bit of a headache, but no more fever. #

Powered by Twitter Tools.

• Just woke up with a massive cold chill. I hate being sick. =( #
• Not as chilled as I was, but I can’t sleep now. Must get OJ, drugs, and H2O. #
• Walmart’s "5am salsa music mix" isn’t making me feel any better, but I wonder if it motivates the stock boys… #
• Feeling way better now. I’ve taken in about 1.5 qts of OJ, along with water and Alka-Seltzer, and I’m finally breaking a sweat. #
• Feeling better, but not good enough to last the day. Decided to punt and go home to sleep. #
• Laying in bed with the electric blanket cranked to 11. For the first time this week I’m glad I’m not in OKC. #

Powered by Twitter Tools.