Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Management and User Consequences?

Posted by ryuzaki0 on from the battle-between-adminis-and-computer-saavy-users dept.

NNWizard asks: "I work in a large university in Belgium where the people in charge of university computer systems want to install LANDesk on every single computer connecting to the university network. The aim is to be able to manage software and provide centralized remote user support. In the old days, every department had computer guys dedicated to the department, and they knew all about the users and their needs. Now, they want to make the management of computer resources global. In most non-engineering faculties this is well accepted, however in the Applied Sciences Faculty the users are computer savvy -- they do not like the idea of giving out control of their computers to people they don't know. What experience does Slashdot have with such a situation? Was the deployment of LANDesk (or a similar software package) a good or a bad thing for the users? How were the privacy issues tackled? Were people still able to use their computers the way they wanted to use them?"

11 of 139 comments (clear)

  1. They're full of crap by ltbarcly · · Score: 5, Insightful

    People who believe that they 'know about computers' are the biggest problems from an administration standpoint. Of all of my users, the ones who don't think they know how to manage their computer end up doing a lot less damage than those users who think they know what they are doing.

    And the worse part is, people who THINK they know all about computers are also the ones who will blame YOU when they hose their installation of Windows. Frankly, I find it unlikely that these engineers need the control of their computers. More likely they want to install unapproved software and various adware bullcrap which will bring your network to a crawl.

    I say this from experience. Initially I thought it would be OK to give some 'expert' users local admin rights, so that they wouldn't have to call the help desk in those situations where they simply want to install real player to listen to Rush Limbaugh or whatever else these dopes do. However, they instantly manage to get spyware, trojans, keyloggers, and other worms and viruses. They do this despite fully updated Microsoft Spyware (granted, it is a beta) and fully updated antivirus software.

    It is only recently, as we moved to managed antivirus software, that I began to understand the amount of damage these people were doing. I now get reports of virus activity, and I am never going to make the mistake of giving a user local admin rights again. It is easy to do, but they will abuse it, and taking it away is 1000x as hard as just sticking to a policy of never doing it. Once you give in they will know that you can bend the policy, and when you take it away you are telling them through your actions that you don't trust them to know what they are doing.

    And the one thing these people always think is that they somehow know what they are doing.

    Let me make it a simple maxim: 'If you are not responsible for the maintenance of a computer, you WILL NOT UNDER ANY CIRCUMSTANCES have administrator rights on said computer.'

    1. Re:They're full of crap by jipis · · Score: 5, Insightful

      I think you're missing something important here. The admin rights are being taken away from the local heretofore admins in favor of giving them to the corporate-level admins. As an admin to whom this has happened, I can tell you that this policy change / procedure change / whatever marketing-speak term you want to give it is a Very Bad Thing. The corporate IT people -- even if they know what they're doing (personally, I've found that too many ppl at the "corporation-wide" IT support level know less about computers than my dog) -- cannot do as good (good at all??) a job at the admin stuff as a local admin could.

      -J

    2. Re:They're full of crap by jonwil · · Score: 3, Insightful

      This is especially true if (as is likely the case) the department involved is using specific software (e.g. the science dept might have scientific or math software that they use).

      Allowing the department to manage it means that the guys who know the most about how to keep Matlab or LabView or whatever they are using running are the guys keeping them running.

    3. Re:They're full of crap by rah1420 · · Score: 3, Insightful

      Truly "personal" computers on the university network are another story. I don't know the best ending to that one.

      "No." Meaning that such devices are not allowed.

      That's the way my company does it. If it's an asset owned by the corporation, it is allowed to get Ethernet packets. If not, it's not.

      I bring my personal machine in, but there's no cat5 going into it even though it's safer by far than any corporate machine.

      --
      Mit der Dummheit kämpfen Götter selbst vergebens.
    4. Re:They're full of crap by Curmudgeonlyoldbloke · · Score: 2, Insightful

      I'd have thought that "an effective, up-to-date, virus checker" would be an excellent start to an AUP.

    5. Re:They're full of crap by swillden · · Score: 2, Insightful

      Probably almost all of your IP is going out the door, straight to competitors

      Odds are, so is yours. The difference in your case is that it's carried out the door by pissed off ex-employees. Most of it innocuously, in their heads, as they take their accumulated experience and expertise to go work for your competitors, but at least some of it deliberately and with malice aforethought.

      As a consultant I've worked for a lot of different companies and I've noticed a very strong correlation between companies without draconian IT policies and those that are successful, innovative and with happy development teams. Good companies tightly manage the systems of most of their employees, but recognize that software developers, network engineers and other IT staff are happier and more productive when allowed to manage their own systems. Good companies provide such users with tools and (if necessary) training on how to keep their systems secure, put reasonable policies in place (e.g. root/Administrator logins are not allowed, virus scanners are required (for Windows), screen locking must be turned on, etc.) and perform resonable due diligence in ensuring that the policies are followed, but allow the more technical staff to manage their own systems. Crap like not allowing experienced users to install software on their own machines just pisses people off and reduces productivity.

      People don't need to install software on a daily basis.

      True. I rarely install software more than two or three times per week. Still, it's often enough that I'd really hate to have to wait for some semi-clued 'worker drone' to come do it for me.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. Dial-out assistance by phorm · · Score: 2, Insightful

    What I'd prefer, is something cross-platform that would let my user's dial me. Really, there's not much need to poke into a user's machine when no help is needed, and for the mostpart I have a heck of a time dealing with friend's who have VNC, but haven't configured the router, etc to let me in.

    I control my own inbound routing, so having the ability to control which connections are sent through the routing machine to my PC would make it much easier for me to have other's "dial-out" for assistance from me... rather than having them configure a router to allow me to "dial-in" to their machine.

  3. THEIR jobs by msbsod · · Score: 4, Insightful

    The whole thing is not about better support, privacy, security, whatsoever. People are using the Internet since two decades. No, those who deploy such software and restrictions only want to secure their jobs. It is that simple.

  4. STAFF... Autonomy... privacy... by tverbeek · · Score: 4, Insightful
    One of my first questions to those mandating this change is how many more people they're going to give my department to perform these duties, and how you all are going to be trained to be familiar with the other department's apps. This is a pile of work being dumped in your lap.

    As for your questions, I don't think the privacy question needs to really become an issue. Pretty much every place I've worked in IT or Tech Support, I've had system privileges that gave me access to damn near anything on institution-owned equipment, from the president's e-mail to the custodian's bowling-league stats. And I've told them that... with the assurance that even though I could get at this stuff, I had no intention of doing so. I'm too busy to monitor people's private stuff and it's none of my damn business. I tell them that techies are just like janitors: we have keys to everything. {shrug}

    What's likely (hell: inevitable) to become an issue is autonomy. If people have to come to you to do things they're used to being able to do themselves, they'll understandably resent you for it. The only solution I can suggest to that problem is to give them the same level of service they're used to getting from themselves. e.g. If they want some software installed, you get the software installed. ASAP. (This is why you probably need more staff.) If you make it clear to them that you're trying not to get in the way of their work, they'll resent it less. And when you can't deliver, or have to say "no", they'll hopefully be more understanding if they know it's not just you being a control freak or lazy or not caring.

    --
    http://alternatives.rzero.com/
  5. and who looks at the IT people? by Anonymous Coward · · Score: 1, Insightful

    oh wait, youre more equal

  6. My experience is only anecdotal, by munpfazy · · Score: 5, Insightful

    But, I've worked in three somewhat different academic research environments.

    1 - One central admin for all the desktop machines in a massive department, no one else gets root on any machine.

    2 - One central admin who is mostly an advisor, people are allowed to administer their own desktop machines if they want.

    3 - Free-for-all, in which most groups have one or two principle computer gurus who handle multi user servers and almost everyone administers their own desktop machines.

    #3 is far and away the best. In #2, no one that I knew of actually took them up on the remote administration option, essentially reducing it to #3. #1 was a nightmate for everyone. When the deparment computing committee tried to talk everyone into switching to something closer to #1, we all resisted fiercely and eventually they backed down.

    In an environment where people are actually using their computers as research tools, rather than as expensive notepads with which to writeup the results of their research, it pays to place control at the lowest feasible level. Every time a user is forced to ask someone else to fiddle with software, it adds *days* to what should be simple tasks.

    Sure, you create an occasional security risk when a bad user fails to install patches. But, there's no comparison between the number of man hours spent on dealing with those sort of incidents and the amount of wasted energy in trying forcing every minor change to go through a central administrator.

    In a computer lab or a corporate environment, you might be able to make a case for central administration. For academics, it's just crazy. (And I suspect enforcing it will just drive everyone to switch to personal laptops instead, in addition to pissing them all off.)