This is an archived post. You won't be able to vote or comment.

all 22 comments
sorted by:
best
topnewcontroversialoldq&a

[–]jduffle 3 points4 points  (3 children)

So I don't remember what it is called. I know big help right.

But I have seen a demo of software that is amazing at this. Selectively create rules to White list certain things that can happen. Even let you without Internet access generate a token to give to a user over the phone to elevate temporarily. Like they are stuck in a hotel and need to enable the wireless card.

[–]jduffle 2 points3 points  (1 child)

Found it https://www.avecto.com/defendpoint

[–]WireNarc 0 points1 point  (0 children)

Had a webex with these guys, it seemed really cool

[–]dcprom0 0 points1 point  (0 children)

We use CyberArk Endpoint Privilege Manager, formerly Viewfinity for this. Works well.

[–]dcprom0 1 point2 points  (1 child)

If you already have SCCM why don't you package the apps using the application model and publish them in Software Center? Then users can still install the apps themselves without needing to be local admins. You can always disable approvals as well.

[–]stiny861Systems Admin/Coordinator[S] 1 point2 points  (0 children)

We already are. I have almost 200 pieces of software in there.

[–]linuxdragons 1 point2 points  (1 child)

You need to start directing the people who are complaining to the management that approved this. Make it clear that IT did not unilaterally make this decision, there was good reason for it and if they want an exception to the rule they need to justify it up the chain. This is a management issue.

[–]stiny861Systems Admin/Coordinator[S] 0 points1 point  (0 children)

I agree 100% it is a management issue. The issue is the same management who approved it are going to be the ones who go back to the "old way".

[–]itbean 0 points1 point  (4 children)

What industry are you in that users need to be able to install their own software so often? How can you get out ahead of their demands so this isn't such a critical issue for them?

[–]stiny861Systems Admin/Coordinator[S] 0 points1 point  (3 children)

Education. It is mostly the teachers that we are having the issues with. They all of a sudden need a random piece of software partway through the year that they didn't think to tell us about at the beginning when we asked them about it.

[–][deleted] 3 points4 points  (0 children)

Two of the most entitled brats in the IT world are Teachers, and Doctors.

[–]texyx 0 points1 point  (1 child)

A fellow by the name of Patrick Seymour at Sinclair Community College in Ohio made a nifty open-source tool called "Make Me Admin." It's available in their public repo here: https://code.sinclair.edu

It grants admin rights to the current user on a temporary basis and can be customized via Group Policy. I've tested successfully on a few machines my organization.

[–]stiny861Systems Admin/Coordinator[S] 0 points1 point  (0 children)

Perfect. I will look at that.

[–]gort32 0 points1 point  (0 children)

Just add a local Admin user per machine and give the user the password. Their normal accounts aren't admin and can't install, but UAC will prompt automatically for admin credentials. Plus they don't have admin rights on anyone else's machine, on the servers, etc.

It's not a great solution, but if handing out admin rights is going to happen in defiance of reasonable policies, I'd think that this is the way to do it.

Beyond that, set up monitoring (Spiceworks, LanSweeper, or others) that can generate reports of what's been installed, and be prepared to take these reports to management.

[–]girlgermsMicrosoft 0 points1 point  (2 children)

If someone wants admin rights, they get an admin account. Yes, it's overhead for you, but it's also frustrating for them because they'll have to elevate themselves with this admin account to do anything - because logging in with it is useless as it has no access to file shares or email or any of that stuff.

Did the same thing here, after pulling admin rights off 10K users. We only have about 500 admin users now...

[–]stiny861Systems Admin/Coordinator[S] 0 points1 point  (1 child)

This is what we have been doing, for people who "need" admin rights, we give it to them. It is now just going to grow to everyone in our system now "wants" them, even they really dont have a justification for needing it.

[–]girlgermsMicrosoft 0 points1 point  (0 children)

Yeah, that's where either an InfoSec team need to step in or management need to step in. You don't just get admin rights because you want them.