Slashdot Mirror
Should IT Shops Let Users Manage Their Own PCs?
An anonymous reader writes "Is letting users manage their own PCs an IT time-saver or time bomb waiting to happen? 'In this Web 2.0 self-service approach, IT knights employees with the responsibility for their own PC's life cycle. That's right: Workers select, configure, manage, and ultimately support their own systems, choosing the hardware and software they need to best perform their jobs.'" Do any of you do something similar to this in your workplace? Anyone think this is a spectacularly bad idea?
In a perfect world this would actually work. But then we'd run into pirating like crazy and companies being sued all of the the place. I certainly support a more liberal approach to what employees are allowed to use on their machines, but restrictions certainly need to be in place.
The Computations of AdamR
http://www.adamreyher.com
I'd say this has "bad idea" written all over it, but my PC just blue-screened.
Bad idea for those that run shops with people who are clueless to computers. These types of people are walking disasters for the entire IT dept. Good idea for those young-ins that know what they are doing with computers. These types of people not only already save the IT dept. a lot of hassle(I personally help numerous people in my area with computer problems that might otherwise get relegated to IT), but they will know how to work and manage all the software and tools that they opt to install.
Crackin' Wise - Blogging about whatever we want
Let them select everything on their own? I have a 72 years old guy in a next cubicle ... I don't think the man knows the difference between a CPU and motherboard ..
Sure. I'm getting them to write their own software too, but the learning curve is a little steep. We would like to have them fabricating their own chipsets by 2010. Of course we'll have them start with FPGAs first before actual silicon, because that only makes sense.
Better known as 318230.
What in the fuck does this have to do with the Web, much less whatever 'Web 2.0' is, you inane retard? Kill yourself.
Real companies have an IT dept that manages things. If you're some cool 10 person 'web 2.0' shop or whatever maybe you can get away with shit like this. A company that has typical users CANNOT do this. Some of my users are IT savvy people, most aren't. They scratch their heads when it comes to anything over and above logging in and opening the business software.
At the last two companies I worked for my desk had two computers, one to essentially read email and use Outlook and another where I actually did my work (software engineer). We weren't allowed to muck with the 'corporate' email computer but were free to do almost anything we wanted with our dev machines. The corporate system was more capable than my development box. What a waste!
When your company is full of young, tech savvy, computer literate people then maybe. But the vast majority of the places I have worked have been half (if not more) full of old semi-luddite completely computer illiterate people who, if left to pick their own computers, would be as likely to come back requesting a PDA as an actual computer. As for running their own maintenance... once again, only with a younger company. Unless the "older segment" of the company is very tech savvy, i.e. engineers/scientists and have all been using computer their entire professional lives, then this sounds like an absolutely terrible idea.
I think that if The User is savvy enough, then yes. This is pretty important anyway, as we've still not figured out how to toaster-ify our computers. In fact, I think we never will. Trying to make something DAU proof will merely invite a dumber DAU.
After letting users pick their plan, phones and cell providers and having ***$900*** cell phone bills each month we said "You will pay for anything over $85".
Surprisingly the bills dropped to about $85 and they let us manage the plans.
As a IT guy like so many others - the reason users don't manage their systems is a) they can't and b) it's better for the company if professionals do it.
Any idea why this article hasn't been tagged "whatcouldpossiblygowrong" yet?
So the answer is basically, "it depends".
For security reasons its always important to manage the AV, updates, etc. on the machine.
If you have important IP on laptops, it becomes even more important to have a good policy to manage machine health, rather than leaving it to individual discretion.
And finally, if you have well-defined and relatively narrow roles for which machines are required, again it makes sense to lock them down.
So depending on how much of the above is true, the answer will vary, but in general IT shops should not trust users to manage their own machines especially because users really don't know much when it comes to keeping a machine secure.
We all cry for choice in our software.... let the users do the same. Let them choose to either manage their own system and they can purchase/upgrade/sell whatever they want and, when it blows up, they reinstall. Or let the IT department do it and then they can get the ugliest locked-down no-fun non-root access box to play with. Also the servers aren't theirs so anything users put on there is still subject to corporate rules but otherwise let users be smart and just let them know when they break rules (illegal content sharing that could get the corporation in trouble, or propagation of viruses from their system, etc.).
Anyway, someday when I'm the administrator I'll do it this way, or try to at least.
If I went through IT at work, I would still be using Photoshop 5.0 and some ancient version of Pagemaker. They're so slow (and this is a true story, honest to God) that the last time they approved any work software for me, the company had stopped making the version they approved before they finally approved it.
SJW: Someone who has run out of real oppression, and has to fake it.
Of course I need *both* those 3870x2's for ... climate modelling? Yes! Climate modeling, if its gonna rain I'll let you know! Think of the money we'll save by knowing... Ah, to dream - I'd probably get a TNT2 instead no matter what I asked for.
Shh.
Some of my users would and can do a fine job of that, but they're outnumbered by the ones who aren't trained and/or bright enough to be trusted administering their own box. Click on shiny! free tool to clean spyware that it just detected when you visited this website, oh yes. Install all kinds of crap and wonder why the computer's crawling & BSODing. Get us audited by the BSA, etc.
Maybe for the better sort of user, but gods no for the unwashed masses.
Hail Eris, full of mischief...
E pluribus sanguinem
is long over. I'm sorry but this could only be a good idea if people weren't idiots.
You can do all the hand-holding you can and they will STILL find a way to mess the machines up. And as long as management sees it as YOUR responsibility to clean up and correct the messes that uses create, you're nothing more than a janitor.
I have expressed the philosophy to various departmental management people that it doesn't matter whose 'responsibility' it is to get things fixed. It matters that things get broken. The amount of down time suffered happens regardless of who owns the responsibility, but can be avoided with more responsible behavior by the users.
I express that "these are your work tools. you mess them up and you're losing money until I can fix it again. There is nothing more I can offer."
I think that hits home with a lot of intelligent leaders.
So yes, give users control over their machines... but make sure they know that even though you're there to clean up the mess, the mess's fall-out is still on them. They will then take better care of their tool... their source of productivity and income.
Well I'll need a monitor, a keyboard, a mouse, and one of those boxes that makes it go too right?
No.
It's one thing to let users do admin work on their computer. There are many IT folks who are knowledgeable a competent and will manage their software well. But, when it comes to configuring, purchasing, etc, etc...ack! I know for a fact, if I was given complete liberty over the hardware that I was using, I'd have my own server. Money and resources need to be managed. Giving a developer a faster computer won't make his work any faster if his current machine is Good Enough(TM).
The real trick is to have an efficient IT support system within the company that actually understands the user's needs. Many times, IT folks are not well trained or just don't care. That's when it becomes an issue.
If maybe there was some kind of test employees could take to ensure that the user is competent so that you don't have clueless employees installing Bonzi Buddy on work systems. Letting people who know what their doing have their systems customized to their liking doesn't seems like it would be a big problem, but you never know I suppose.
For those in IT who think this is not the case, consider your power users. Many really can function - even if not to corporate standards of security or conformity - with very little help. They probably will spend an extra $200-$400 per machine for stuff that has marginal use, but they'll feel better about it and be productive. The problem is that there's that one guy - and everyone in IT know who he is - that is way out of his depth and just doesn't know it. You spend a lot of time praying he doesn't screw up more than his own workstation. The good thing is that considerably more than half of modern staffs will likely just want you to set it all up and keep it running.
In the case for users managing their own PCs, NASA used to be this way where I worked in the 90s. We ordered our own PCs, set them up, installed all software. The IT staff would help get us on the network and keep the network running. There were exceptionally few problems. This was, however, before most people had access to the internet, and predominantly before the web existed.
Is it just my observation, or are there way too many stupid people in the world?
This works great in academia. IT is never going to know all the weird software I need anyway. The only time I've ever needed to call IT in the past 3 years is to get administrator access or fix a hardware problem. But what works for a small biology lab isn't necessarily going to work for a large corporate call center of course.
Give me Classic Slashdot or give me death!
I imagine this could work and work well in an IT shop full of software developers. However it isn't going to work if the users don't know an operating system from an aardvark. You'd still want some minimal rules like keeping the PC patched and good A/V software if you're running Windows. but I'd say it's doable.
What it isn't going to do is reduce your costs. You might have a very minimal help desk and no specialized staff installing those desktops but that knowledge, time and effort must be spread through the organization. You may also find it harder to get good deals on bulk purchasing depending on how you do it.
These posts express my own personal views, not those of my employer
You need to be able to evaluate this on an individual basis. Most places I've worked have users who we can trust to do whatever they want and get work done, but I've never heard of a workplace it would have been safe to let everybody have free rein.
I think that some employees should be able to. Granted, almost everyone in IT probably has Administrative access to their work machines. However, some might not. If so, then it's wasted prodcutivity for someone that knows what they're doing to have to wait for the helpdesk staff to do it. And, let's be honest. The helpdesk doesn't always do everything right.
The question is where to draw the line. Obviously if you or I had to sit around and wait for someone to come do everything for us, we'd be pretty unhappy. What are the chances that there are capable people around that are just getting annoyed with having to go to IT for everything when they are perfectly capable of handling it themselves?
This sort of thing would never fly at a sufficiently large company. Once you get to a certain size, the pressure to "standardize" becomes too strong to resist. I suppose this is reasonable, because the licensing, support, etc. is much cheaper this way. Oh, and arguing that individual choice makes workers more productive is useless: productivity can't be easily measured -- therefore it doesn't exist.
You can let your users manage their machines, but only to a certain extent before it gets damaging. But at the same time you have the converse, where you have so many users that your IT staff cannot hope to manage every machine.
This is why corporate and network policies are so popular at major companies. Generally the systems are set up to maintain themselves, but are still open to being wrecked by their users. Corporate policy comes into play regarding illegal materials or pirated software being on the machines, and that's usually enough to keep most machines in working order.
Where I work every user has administrative access to their machines, but the network policies enforce the presence of McAfee and various background installers that push security updates when necessary. Not that this stops the more adept users from getting around this (Task Manager running as the system account lets you bypass network policies,) but generally anyone that can do that won't be the first out of the gate spamming the internal network with a virus (that'll be the CEO!)
Let's face it, the general workforce is in no way prepared to handle their own systems.
The lack of proper firewall and security software of the machines connected to your network should be enough to give any IT staff pause. Add in piracy, and you have opened a pandora's box no company wants to be left holding.
If you run a small business of tech savvy individuals, you could try this out and see how it went. For any company that has information important to itself and the shareholders, it is not a realistic option.
While I understand the concept, the risks are too high to consider it an actual IT plan or solution.
The company I work for requires that all workers (who are not employees, but are contractors) must supply their own PC. The company still provides basic development software and OS (Visual Studio 2008 etc), but it's up to us to
a) administer our machines
b) add any software we think may be useful
c) handle our own licences
So far, no issues except for the guy who rebuilt his machine and didn't put on any virus protection. We got hit by a nasty virus that infected a bunch of servers for about a day. I really like having ownership of my PC. I can customise and upgrade it whenever I want. This means just about everyone has dual monitors because they only need to justify the cost to the only person who counts - themselves.
It's good luck to be superstitious
We have 7 techs supporting 2000+ computers in 800+ offices. We give guidance but we don't tell them they have to run them any any specific manner. The biggest advice is, "Boring is good".
License compliance is one detail were you can't offer any wiggle room. There are a number of good auditing software (including some free ones!) that will report on the installed software. That will keep you out of legal trouble.
In most (non-software developer) environments, employees are hired for other skills, e.g., process claims, sell new business, operate a shipping machine, etc. They are not hired for their PC abilities.
In better run companies a centralized IT department can improve efficiency and keep employees focused. It's a waste of money to have some high-paid sales rep, doctor, lawyer, lab tech or financial analyst spend 2 or 3 hours fixing a PC where a trained, less expensive person could do it in a few minutes.
This is where a Microsoft-centric environments really shines--it enables good centralized controls and allows for enforcing company policies. It is perhaps one reason why the Windows OS is so "bloated"--it's really corporate features that the big buyers need. (For example, AD is really useful in corporations, but overkill for the home user.)
Asking employees to manage their own PC is like asking them to be their own package delivery firm instead of using UPS or FedEx. Do you really want your lawyer (or doctor) to be billing you $250/hour while they are installing a new driver on their PC.
Managing PCs might be ok for software developers or specialists who need unique hardware. (As an aside, all software developers should be required to run as a regular user (not administrator) to ensure that the product doesn't require administrator rights.)
That's pretty much how it goes with our IT dept. Not because it was a conscious choice.... .but, because we are a very small company and they are lazy as shit.
In the days when I was on a large network, I thought it was a bad practice for the IT department to have better setups than the end users. Some IT people had not just faster computers but leaner images with less integration and less overhead. Their machines flew.
But of course they had no appreciation of how bad it was to be in the trenches. Their computers performed so much better than the equivalent computers of the end users that they often did not realize how hard it was to get work done on a standard image.
When I reached the point where I ran one of the departments, I kept an old standard-image computer as my main computer and made sure I was always at the end of the upgrade queue. My view was that if something worked well on my computer, it would work on anyone's. And if something didn't work well on my computer, then it meant some of my users were having a bad experience.
So maybe if the IT department would just use the same image and hardware as the end users, they'd know enough to provide a decent standard image, which would solve a lot of user complaints.
In my opinion, there is a vast difference between what a user "thinks" they need to do their job and what they actually need. Just like any other part of the company you need some gatekeeper for cost control and to make sure that purchases don't overlap. If every user could pick what they needed to get their job done I'm sure you'd see a lot more Quad cores being ordered with SLI video cards. Not because the user thought they needed them, but because they were more expensive so it must be better for them.
If you were in a technology company this might be different because in theory the users would be more knowledgeable about tech products. However in most companies I would guess the users don't know the difference between XP Home and XP Professional, so how can they pick what they need?
Error: Sig not found.
I have trouble convincing people not to set their beverages on the copier while waiting for jobs to complete. Give these people local admin rights and we're going to have smoke and shrapnel.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
My IT guy is scared of me. I usually just leave the room when he insists on going on my machine, because I have the rude tendency to look over his shoulder and tell him he's doing it wrong. I stay on his good side by fixing other people's computers for them, he reciprocates by giving me new hardware when I ask and leaving me alone. Next step: installing linux.
I think most responses to this story will be very critical of this idea. That's because most corporate slashdot readers work in an IT department.
I don't; and if I had management of my box, I would literally have saved weeks of wasted time last year. I'm still doing some crap manually because I don't have the administrative ability to install a perl interpreter on my machine. Every few weeks somebody from IT tinkers with it for an hour, fails to get it working, I report it as a problem, then wait a few more weeks. For all that IT workers are known to hate bureaucratic red tape, it sure seems like they don't shy from foisting it on other areas of the company.
Most incompetent people won't want to mess with their settings in the first place. Give the employees some rights, but just require accounting of installed software, and publish guidelines that must be followed.
If ever a story more deserved a "whatcouldpossiblygowrong" tag, I've never seen it =oD
Maybe end users have changed miraculously from when I was still doing desktop support, but I doubt it. IT doesn't develop policies limiting supported configurations just to be mean (generally). They do it because that's all they can in fact support given existing staffing and support metrics. Maybe you can get small numbers of users to be sufficiently knowledgeable that they can support themselves, but the overwhelming majority of users don't know enough, and don't *want* to know enough, to do this. They'd come to rely on some absurdly obscure or broken application, then call IT when it doesn't do what they want it to, and IT would have no idea how to fix it. Plus they'd end up with massive amounts of pirated material. The techs aren't going to memorize the manuals for every possible bit of code a user might take a fancy to, and they certainly can't test every possible combination of applications to test for incompatibilities.
Letting end users choose their own machines and apps sounds like a lovely and empowering idea, right up until the point where they need to call tech support. And find out that it might be days before IT can fix whatever is broken, since they are starting with zero idea what is wrong because of the wacky config. Those days of lost productivity can be hugely expensive compared to the costs of testing a few specific configs that can be easily and quickly supported. Some tech hours of advance testing and some possible minor losses of productivity from using applications that aren't the user's favorite choices are far cheaper than having an employee turn in no billable hours for several days because his computer is down.
You're just jealous 'cuz the voices talk to *me*
On the pro side I see:
Increased employee morale
Labor savings from having one less IT technician who used to order and set-up laptops and work stations
On the con side I see:
Increased IT hardware costs (everyone has the best of everything)
Increased labor cost from high paid users spending days and days researching, ordering, installing and repairing systems
Increased hardware and software cost from loss of corporate mass purchasing contracts
Interoperability issues (different software, versions, formats, etc...)
Exposure to system intrusion, viruses, data loss, data theft, etc...
IMHO looks like the con's outway the pro's (at least with today's technology).
It depends on the organization. I used to work in a 20 or so person division of a software company in which the technical staff were allowed to configure and maintain their machines, within certain constraints. The funny thing is that the primary development team ended up with the same software on their machines, the consulting engineers ended up with their own tool suite, and the marketing guys just relied on the support staff to keep them running. There were a few differences as far as text editor and debugging tool preferences, but generally you could sit down at any machine and expect it to have everything you needed - a virgin install contained our core tools and network stuff anyway. That said, it was *really* nice to be able to install a necessary program or utility without having to go through layers of bureaucracy.
However, I've also done stints at telcos and other massive organizations where things were incredibly locked down out of necessity/paranoia. I never had too much difficulty getting tools/permissions that I needed, but that was probably because of my role within the IT group. Had I been a marketing guy trying to install some sort of whacky video software, things might not have gone so smoothly.
It's a good idea if your users have a clue. It's a bad idea if they don't. It entirely depends on the users.
In my shop we're all coders, so that plan would work. In fact it's vital to our work. Originally we were locked down and had to have an admin install pretty much anything we wanted to use. IT became an inhibitor rather than a helper. They eventually had to lift the ban. The policy was in the way.
On the other side of the coin, I've also held IT positions managing users. Giving some of my former customers the keys would have been an immediate disaster. In that case a lockdown was a lifesaver.
Weaselmancer
rediculous.
...except for me.
they run Ubuntu on the PCs. Then there will be peace and harmony, and the planets will align (this is /. after all).
Where I work (40 people) we do precisely that: staff select their own equipment and mostly do their own system maintenance on it. There is a support department that can be called for help, and that enforce the use of anti-virus, system updates, etc. For the rest we're free to install what we want as long as it is legal.
And it works great! But I should add that I work for a software house - you'd expect decent knowledge and strong opinions in such a situation anyway. I wouldn't advise the same strategy to places where people have far less computer knowledge, unless of course you are interested in running after your users day and night to fix their problems.
How about..
Cab drivers get to fix their own taxi cabs.
Pilots perform their own maintenence on their jet.
At least the last 3 places I've worked. The Mac community helped itself out, at the largest site we had one formally trained Mac tech support person covering probably 150 or more Macs.
Then another place I worked, the one time the tech support people touched my Mac, they screwed it up...
On the other side, I watched an employee of a Fortune 50 company visit another company's location, where the latter would assign you a specific IP address to use. This guy didn't have enough privileges on his Windows box to configure the IP address on it, and of course his corporate help(less) desk's attitude was that they had to have the machine hooked up to the internet to remotely administer it. Catch-22...
Dilbert's "Mordac, Preventer of Information Services" is unfortunately the way of life for most corporate IT departments. When I'm King, every CIO will provide each employee with a charge number against the CIO's budget, when an IT problem prevents that employee from doing productive work.
dave
Printer friendly link
Our company lets people pretty much do whatever they will with our workstations and laptops. Luckily though, everyone here comes with a resume a mile long in the tech field, everyone has at least one tech certification, and most of us have spent the past 10+ years in data centers. So, we have the freedom to do what we want. For instance, on this laptop I have bioshock and call of duty 4 installed (for plane flights, etc when I have no real source of entertainment), numerous training software packages, a couple movies, and a ton of mp3s. A lot of other people have itunes installed along with a small subset of their music collections. So far I've yet to see anything bad come out of 'nonstandard software' - funny enough, the only big disaster we've had was actually when mcafee had a bug in their dat files which led most of our servers to commit suicide. The irony was that this was company software. Luckily though it gave us ammo to get the layer 8 types to switch to Kaspersky. But I digress... If anything people are more relaxed when they are responsible for their machines. I think there's a mind set to it as well - the computer isn't kept a black box to users. They can play with it and interact with it. They can make it theirs. Its like when a carpenter has a favorite hammer or screwdriver - the others will work, but he'll prefer his or her own. I think what makes my situation unique though is that everyone here is very tech savvy and security conscious. I highly doubt that in a situation with lots of average Joe and Jane users would our methods work even remotely as well.
Are the users competent to do the job more efficiently than IT?
Is the network configured to treat all machines as untrustworthy OR are all users competent enough to not endanger the network?
If both, then it's not a bad idea. Many engineering shops take this approach. Most other shops do not.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I work for IT for a decent-sized department at a university -about 200-300 machines. All purchase requests go through us, but we usually get what they ask for (as long as it's a Dell or an Apple, but mostly because we have institutional deals with them and they're on the cheap). We set up XP (Vista only if the user wants it). We lock down antivirus and things like that, but for the most part the sub-group they're in has admin privileges on all their machines - but no one else's. When things get fubar'd, they call us to fix it. If it's something they could have avoided, we'll try as hard as we can to fix it. If it's something stupid ("I opened an e-mail attachment") it may take us a while to get to it. YMMV.
No.
I worked as help desk at a bioinformatics research facility, with roughly 200 people, and I can fit the number of power users that I could remotely trust to run their own machine in one hand. And 3 of them have gone over our heads - one wiped his own RHEL Linux (not that I'm a fan, but it's managed) with his own Ubuntu install, causing us grief when we change settings. He also cause a Kent State Computing Science PhD (who's more like a n00b who can't type his password right) to demand the "same" setup, burning up weeks of time for 2 out of 4 IT staff, myself included. The other 2 would routinely try to install pirated software on work computers.
And we do try to install software in time for our users. We would try to allocate the right software in time, and if there's no reasonable way to do it (i.e. the user can't get the funding), we try to offer alternatives. In the past, yes, the IT department had been sluggish, but the majority of them have left, and we do try to provide good service.
Apparently, in a bioinformatics research facility, most of the staff who do research don't know jack about computers, or how to maintain them. If the users are allowed to manage their own machine, I would spend so much time fixing machines, I would want to jump off the building.
Thank god I left that place. It was bad enough with the existing setup. To think that most users can maintain their machines is pure folly.
A government institution, to be precise, and the locals were using government computers, government media (CDR's) and various other resources to pirate everything from Windows to Games for Windows... and you know what? I was nearly fired for bringing it up. Taking action with my "superiors" in IT over what I perceived to be a legitimate issue, and being not only stonewalled but also treated like scum, is what resulted in me tendering my resignation shortly thereafter. Total time on job? Less than a year... far less. Reason? Dirty business practices. Yes, this was a SCHOOL... these are the people teaching your kids what to think, and possibly (in rare instances of "good teachers") even how to think. Another example of government "honesty" and examples of justice. Piracy reigned, and when notified, my "superiors" felt offended that I did not remove the offending software. After much correspondence and arguments, and nothing getting done, I finally got fed up and left. There is a reason schools enjoy Linux like pricing on software. So many of the teachers pirate everything in sight, with full oversight of the various officials.
And then they teach kids that "crime doesn't pay". Talk about hypocrisy.
Another reason to pick up homeschooling.
" What luck for rulers that men do not think" - Adolf Hitler
Depends on how technically savvy the users are.
Technically clueless users wouldn't know what to do anyway.
Technically savvy users need little more than an IP address and a beer to do the right thing. Hell, our sysadmins consult with me to help figure out how to do things right.
The middle ground is the one that makes me nervous. The nouveau-techie little bit of knowledge types are the ones that scare me.
I've installed and configured everything in my cubicle, and have root/admin access as well, because I need it. This is as it should be. I do not have root access to our main file server, because I do not need it. This is also as it should be.
...laura
Slashdot posted this well-accepted article a while back http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9050878/ and it described the 5 users with whom an admin hates to deal.
1. The Know-It-All
2. The Know-Nothing
3. Mr. Entitlement
4. The Finger-Pointer
5. The Twentysomething Whiz Kid
Given that there are more of these than there are "Dream Users", a "Web 2.0" approach may not be the best idea.
However, speaking from the lips of one of the "Dream Users", I'd like to have a bit more freedom on *my* workstation. As it is right now, I cannot write to the program files directory nor install any program that requires registry entries. That means no compatability updates, no utilities (Acrobat Reader), etc. I can't streamline boot up, reduce RAM usage-- any of the things I would do on my own with an out-of-the-box machine without any fear of technological repercussions.
So, no, don't give everyone self-governance abilities, but please utilize the bomb-ass users you have. Help them help themselves!
You're lucky if your IT guy even speaks English well. Often times communicating the problem is hard enough. Then you have to wait for them to schedule time. IT has always been a mess. I've always been frustrated when an IT guy had to come over and type in a password to change something on my machine. Two days later it's broken again. It's really pointless. I use IT for network infrastructure and maintenance. Someone has to tend to the server. Individual machines can be handled by power users. Some of us have had computers since we were old enough to speak. We know how to use them. If I need to use a corporate app I'll RDP into a windows server or ssh into a linux server. That solves many problems. The IT guy only has to maintain the server for me, so he becomes more effective. I'm only using the server for corporate apps, so it's not likely to get messed up by me or any other user when trying to install a new game. All that only works if you're savvy enough to run your own machine. IT doesn't need to spend time with those people. If you can't support yourself then you should request a locked down computer, so IT can handle your problems quickly.
At my workplace we can do pretty much whatever we want with our computers as long as it's legal. I take my machine home and play games on it all the time. (My work laptop is actually a faster gaming machine than my desktop.)
It seems to work out pretty well. I haven't seen any big problems from it.
As for everyone else, the percentage of people in an office setting that are competent enough to be trusted is much, much lower. Also, given that corporate environments have a heavy emphasis on conformation and uniformity, that's the last place you'd want people making that decision.
The general rule that I've seen is that the larger the set of computers that needs to be managed, the less control you want the individual users to have over management of their machines. They can take it personally all they want, but, as much as I dislike saying this (I really do), no (large) corporation should ever let its employees use their own machines for business work or give its employees any more control over their work machines than pushing the power switch to turn it on.
"osake no hou ga, biiru yori ii" to omotteiru.
We have a small Plone/Zope consulting firm (10-15 developers + project managers + designers, etc). We let our employees and subcontractors do whatever they want. If they want to use vi, emacs, textmate, or whatever the like then they can. We have people running OS X, Ubuntu, Debian, etc. Everyone chooses their own IRC clients, chat clients, etc.
Obviously this doesn't work in ever environment. You can't have the kid at the register at WalMart saying that he wants to use a different embedded OS in his cash register. We have smart people working for us and it's their job to know computers. As long as the job is done, we don't care.
The only downside being that we sometimes want to do something together that gets tricky to standardize then (video conferencing, screen sharing, screencasting) that doesn't work always great in all linux distros. That's rare however. Also since we let people choose then everyone gets very opinionated when it comes to choosing a piece of software that everyone MUST use (like project management tools, document sharing, etc).
Tibbon
tibbon.com
And while we're at it, you can leave me in the cigar shoppe overnight to safeguard it's contents. You can trust me!
"Quote me as saying I was mis-quoted." -Groucho Marx
At my workplace, we're pretty much left on our own with our computers. We usually get to choose our own hardware (within a budget), software, OS, etc. For some of us, there aren't any problems, so this works great. And if we need something, IT support is available. But for some at my workplace, this is very very bad. For example, several people here can't resist clicking on the "YOUR COMPUTER IS INFECTED" or whatever malware teaser pops up while they surf the web or read email. So, every few months, they hopelessly infect their machines and have to call IT support. Then the IT support guy comes over and spends a week recovering their data and reinstalling everything, etc. Same thing goes when ordering hardware. The same kind of person who clicks the virus.exe popups, finds 10 super cheap brand new Dell workstations on ebay for less than $100 each. He can't resist the bargain, so he orders them and they're mostly DOA. Dell tech support won't service them, because there is something wrong with the service tags and some questions about the legal status of their ownership. Then the work IT guy gas to come over again and waste countless hours and money trying to get a couple of them working.
There is all kinds of great software out there for the users to download and manage themselves like gain gator, weatherbug, myCoolWebsearch, and so on. Oh yeah, lets protect ourselves too, I can't WAIT for the phone call from the guy that installs 5 different AV softwares, Norton Internet Security, and puts Zone alarm on his PC... "Um, my internet if broken.. do I have to buy more internet or can you get me some more?..." -- Actual question. This really needs to stay in the hands of IT.
PYROPHOR
1. User just deleted a "critical" data directory/file.
2. User just deleted an OS directory and their computer will not run.
3. User kept everything on his/her local drive and it just caught fire.
4. User wants an email from 3 years ago that user had deleted from his/her last computer 2 years ago.
5. The legal department wants all email to/from Mr.X, Mr.Y and Mr.Z.
6. User keeps getting infected with viruses.
With centralized control, all of those are simple. Once you start allowing users to choose what to run, how to configure it and so forth, all of those become major issues.
Of course this works out well in my case because I actually know what I'm doing, and more to the point I don't do stupid things (like run P2P and/or eat up all the available bandwidth on our skinny little pipe); your mileage may vary. The average user isn't so well equipped to make sound decisions about such things, though.
It entirely depends on the company. Small companies, Linux shops, and engineering-focused companies work better with people maintaining their own machines.
I work at a Linux-based network security startup. Engineers maintain our own Linux boxen, IT maintains the Windows boxes given to non-engineers. Most employees, engineers included, have Windows laptops assigned to them as well; those laptops are maintained by IT. Of course, we're a small company...IT consists of one person in our US office and one person in our India office.
Not much piracy concerns with Linux; we don't run any commercial distros on our desktops (we run a hodgepodge of Debian, Ubuntu, and Fedora), and none of us have any use for Linux commercial software.
I support the Center for Consumer Freedom
Like most slashdotters, I'm in IT.
The last couple of companies I've worked in, have made the decision to allow us -employees- to admin. our PCs. We are mostly semi-senior developers: we have the knowledge to make our computers perform their best, and we know what we want -and need- from them. No one else -not even support dept.- can know what service, application or tool is best for us and, being highly trained, we're the best admins. these computers could have.
-- For instance, even though we need to use Windows XP, no one uses IE --
And last (but definetely not least), this is what we *do*. Most of us could hack through the security policies if they were there. I don't think that having over a hundreed skilled developers trying to bring down your security infrastructure is the best way to go.
Whenever I start my own company (that's right, I still like to daydream), I'll make sure I hire talented, trustworthy people, and grant them admin. rights of their PCs.
PS: Note that admin. of PCs != network admin. Everyone here should appreciate the difference
It applies because it really depends on the situation you're in. In the company I work for, we can't have 100% access to the systems because of security issues (gov (fed and state) law. But even if we could manage our own work terminals, I wouldn't recommend it. So many people barely can work with what they have, installing what they want would be a nightmare.
That's not even the worst of it, I could only imagine what it would be like fixing these peoples computers when they get infected warez (spy, root, etc).
I really don't know what the answer to this problem is, but maybe users could take a test to see if they're competent to admin their own terminal, and if they pass they can sign a document taking full responsibility over all activity that it creates (illegal warez, torrents etc.). I would LOVE to have full access but that's not going to happen here!
My abilities are only limited by my imagination
I've been at a number of companies with totally opposite ways fo doing things. Currently, where I now work, we let users do mostly as they please. Surprisingly, the amount of support time isn't must greater than when one has to control the IT worker's every move. The greates part of support is still helping users with various software issues. Generally, it works quite well.
If you charge the users for support somehow, even if just internal funny-money. And it depends on the business too. In a tech company, I'd want everybody to be able to at least manage their own PC, and wouldn't hire anyone who couldn't. In retail, maybe not.
IT is supposed to support the business, not run it. I find the article refreshing, as this is exactly what it promotes.
Many knowledge workers who rely on IT services could benefit from some customization beyond the "standard corporate desktop."
Some IT departments seem to only want to support the standard desktop, though. This is lazy & you don't need a dedicated, internal IT department to do that: you could just have redundant standard desktops around & rely on out-sourced support and "from the trenches" help for any corner cases.
The place where letting users take care of their own workstations comes apart is when things go wrong. If everyone is installing their own programs you will never know what is causing the problem. As soon as it breaks the user who installed it, "Didn't do anything wrong, it just stopped working" and then the IT guy is supporting an application that he didn't install and doesn't use.
I'm of the opinion that if a user really NEEDS a piece of software becauase it is SO IMPORTANT TO THEIR JOB, then they can take the necessary steps to bring it to the attention of IT and wait a week or two for IT to evaluate it. I've yet to work in an IT department where REASONABLE requests were turned down.
The flip side of the coin is that if you let users have whatever you went, you end up with Kazaa/Limewire and a buttload of IM clients installed all over the network, along with Skype, browser toolbars, and who knows what kind of malware. Then you start getting calls from VP X who doesn't have program Y that cubicle monkey Z used to create the file. You have one department using some stupid third party plug-in for Office that nobody else in the company has and 'YOU HAVE TO UPDATE EVERYTHING RIGHT NOW' because they are working on some "IMPORTANT DEADLINE" that absolutely requires someone to have the plug-in.
This article should be relabelled, "Do I really have to do my job, or can I just quit and let the users do it for me?"
In tech-savvy teams, yeah, let them manage their own computers, especially programmers and sysadmins. Otherwise they'll have every moment and to be honest their productivity will probably be reduced. Especially because many IT facilities are nazis on a power rush who take positive delight in being obtuse and difficult - especially to those more skilled with computers.
However other people? Noooooo! Not even with a course in basic computer management.
I'd still get the former group to take a course in acceptable computer use, of course. Too many universities don't have a proper ethics course on their CS courses these days - then again, too many CS courses are glorified "programming" courses.
Personally I think that there has to be standards in any type of enviroment. I don't really want to have a number of different Word processors on peoples machines so when someone sends a document no one can read it(sure i can have them save to the smae format, but are they really going to listen?) Also if you leave people to maintain there own machine, there is a security risk. People who don't install security updates, update their anti virus, etc. Also are you expecting your users to maintain there software licenses? There is just to much risk for not using software correctly and getting your self and company into trouble.
I work for a large engineering company (50k+ employees) and it seems to work reasonably well. There is no way that the IT dept can enforce a standard operating environment, since we are client driven. Our clients demand, and we supply, solutions to problems. This requires the principal developers and systems engineer need support a raft of different platforms, OSs, software and skills on their own. The IT department manages the corporate infrastructure (e.g. LAN,WAN,VPN, file servers, access control, backups, email, etc...) but they're not responsible for determining development and test tools. We develop and integrate complex Control Systems for our clients. So the engineering/project departments are responsible for selection of software, server, workstations, embedded controllers, switches, network sniffers, protocol analysers and anything else that is required to support that function. The system works, as the IT support and engineering sections work together to iron out problems. It's not anarchy, because key "experts" in each domain are tasked with making the system work. Communications is the key point.
Having users manage their workstations is a fine idea in theory, but when it comes to "How did these files get deleted" or "who installed that piece of software" all too often there is just a big shrug or deliberate finger pointing. If users want to follow installation procedures that's a different story, but most users will take as many shortcuts as they can around paperwork.
boycott slashdot February 10th - 17th check out: altSlashdot.org
If you tell your IT guys to configure the machine as they need it that gives them "excuse the pun: LISCENSE" to go buy the software they need!
How much is your data worth? Back it up now.
All the concerns mentioned so far about licensing point to why using OSS at work it's such a good idea. It's freedom b/c users can grab the software they need, and it's free and licensed appropriately for to do commercial work with. It's the reason learning the GIMP is nice, b/c for that occasional image modification/creation that has to be done, no procurement / approval process needs to be gone through (the actual cost of the software normally comes out in the wash, it's all the time/hassle of multiple people that costs the money). Of course this relies on users having admin access, but also points to why I'd love to see Windows ZIPs just containing the binaries necessary to run w/o an install published. Totally worth it.
I have worked in both type of places, I prefer working in an environment where a COE (common operating environment) is implemented, running around trying to support hundreds of pc with a different config on each is a waste of time and resources. An example, it used to take 15 techs to support 3000 users, after the COE was implemented we dropped that number to 10. Their work pc are just that, work pc not for recreational use.
I think it's up to the IT department being smart. In my business they do a great job managing the computers that need managing yet my team of 6 programmers are allowed to do what we need to do to get our job done. Common sense goes along way as long as the company is small enough that the IT department knows it's "clients".
Where I work, there is a single IT guy in the IT department (50 person company). He trusts me and one other guy enough that we have full reign over software on our PCs (barring piracy, obviously) and we get recruited to help others frequently. Everybody else installs crap like a "dealio toolbar" and "dinosaur screensavers" and "sweetIM" and drives the three of us nuts because they're morons. Whereas I IMed the IT guy, was like "hey, can I update video drivers so I can flip this monitor on it's side? I need vertical workspace more than horizontal" and he was like "whatever. You know what you're doing". I'm just rambling now.
Are there any left? Last big corp. I worked for outsourced it all, and so whether we liked it or not we were locked down.
putting the 'B' in LGBTQ+
that stored the music. It's pretty reasonable to assume that well, lets see the music is stored under
C:\Documents and Settings\John User\Documents\My Music\Lita Ford
I think John User must have done it. I am pretty sure if you spell it out as policy against such actions, that the company would divert *.aa to the actual user that comitted the infraction. No amount of hand holding can really prevent this sort of thing. If they have access to the box, they have root right? That's what we say all the time here.
They will do stuff like this. It'll get worse as the younger generation grows into working age.
That's why I don't store too much personal data on my work computer, but access my own music via streams from orb.com
However, I guess we could just make it illegal to use workstations at work, and make everyone access company infrastructure via a terminal. Yeah GREAT IDEA...
How much is your data worth? Back it up now.
I work as a software engineer at a 1400 employee genetics research laboratory. At our organization IT provides several standard hardware configurations for personal computers (15 or 17 inch Mac BookPros, two Lenovo laptop choices, and several desktop choices like an iMac or MacPro, or similar windows PCs). Non standard hardware configurations can be approved, but may have to come out of your departmental budget and unless its a server or something that isn't supported by the helpdesk folks then it is a huge pain in the ass. Servers are a different story. We have 400-500 Macs on campus and a slightly higher number of PCs. I have an Apple laptop w/cinema display for my primary computer and a windows desktop that I rarely use. I have full admin on both, but both were initially configured by the helpdesk. I usually install my own software that isn't included in a standard configuration. anyway, it is up to the deparment or group manager to determine if a user should have admin on his or her computer. In my group of SEs we all have admin. I also have root on a few linux VMs running on a sun blade system that we use for development or for hosting apps that our small group uses like subversion and bugzilla, even though primary sysadmin is handled by our IT department.
Probably the biggest advantage is the time it could save for employees to have a system configured to do what they want to do, rather than what the IT department wants it to do. I work in a company with 500+ employees, and I think we spend the equivalent time of about 20 full-time jobs on waiting until our computers are willing to respond. That's more than there are people in our IT infrastructure team! If it sounds like a lot, then remember that a working day has only about 500 minutes, so if everybody has to wait one minute, that adds up to one full working day for us. You could argue that many people spend more time chatting over coffee, but chatting over coffee can actually be useful, whereas drumming on the table with your fingers until your computer responds again is not. Anyway, savings in IT time could very well be infinitesimal compared to savings in user time.
Having leaner, simpler configurations better tuned to do actual work, instead of meeting IT management functions, could be of major benefit to a company. It would not only save time, but also result in happier employees.
Even when it comes to setting up new systems, my experience is that skilled users have systems that are leaner, faster, cheaper, and more stable than professional IT teams. I don't know why, but I would guess that it is because users are inclined to take something that works out of the box and just use it, while IT people would start to tinker with it until it meets a dozen extra requirements, put it on a shared server with five other systems, and install it according to the internal SOP. When an user needs disk space, he buys extra disk at $1 per gigabyte, or thereabouts. When he needs to ask IT, then IT will buy an approved system at $2 per gigabyte, add $8 extra for maintenance and administration costs, and charge the user $10. Yes, some of that extra work is actually very useful, such as taking backups; but much of it isn't.
As for security, my experience is that cover-all security procedures that lock everything down tight and try to maintain fixed configurations, mostly serve to cover the ass of the IT responsible. Half of the time they don't really work anyway, or have gaping holes in them. Some of our IT people do maintain a high level of security in their area, but that's because they are very flexible and adaptable, and always seek to work out the best solution that serves both security and functionality -- so users respect them, and try to cooperate. Overall, it might be better for the IT department to adopt a reactive strategy, by scanning for real security risks and intervening when they occur, instead of fostering the illusion that they have everything covered.
Manage all of the office/service computers, but we force the techs to use their own computers, and load our software on them. We are able to force them into buying their own computers as it is considered a tool. All the computers at work are logged onto local admin accounts and connect to our database server through telnet. We have surprisingly few problems even though we run no AV, nor do we patch or have anything resembling an it department. We have boxes ranging from win95-XP in our office's and the techs have everything from p1 laptops running win95 to a guy with a quad core desktop(this is to run a telnet client). With the exception of assigning static IP's and replacing HD's basically no maintenance is required.
How about if you give people local admin iff they are actually competent to do so?
How much is your data worth? Back it up now.
I worked at one point for a computer magazine, and the editors/writer had quite a bit of leeway when managing there own systems, since it was part of there job to test software etc. Though they should have used the test machine, that really did not happen often. But even these smart, very tech-educated people often killed their machines.
There is just no way a user, no matter how saavy they are, can keep up with the potential conflicts, problems, incompatabilities etc of every piece of hardware and software they have. That is WHY IT departments even exist. Too many times I had evil meltdowns on machines where the user THOUGHT they knew what they were doing.
In some cases, some leeway might be granted, but only on strict limits. I understand why some companies might think this would save money or time, but this will change as soon as someone looses mission critical data.
It really is the tech saavy user who is the most dangerous, because they do not know how much they actually don't know. Most other users are too afraid to play around with their machines cause they are afraid they will kill it. That is a good thing.
But only after signing a form stating that all damage they do will either come out of their paycheck on top of the time/work lost or be repaired by their hands when they're off the clock, again with a pay deduction based on the number of hours lost. I'm well aware that nightly/weekly backups would fix a lot of this (and should be implemented in any case), but a downed machine still means lost productivity, so it's nice to have a deterrent.
I just read Slashdot for the articles.
My company has very little in the way of computer policies. Every user has admin rights on their machine, and my office is the only one running AD. From what I've seen, even technical people tend to spend little time worrying about the security of their computers. --In other offices, support people and developers often don't even have passwords on their machines.
So, these days, where it's very hard to get people to worry about security, piracy, and the other problems IT administrators have to worry about, it's not a good idea to let users have full control over their systems. You need to find a balance between maintaining the necessary control, but not being overbearing and draconian with your policies.
Hardware fails, it happens. Being able to drop the harddrive in a spare machine and be up and running in minutes is invaluable in real world environments. If you don't have a limited number of configurations, you aren't likely to be able to get up and running without significant downtime.
Perhaps there should be a line drawn between your regular "data entry clerk" and your power user. I know my request to the putty suite installed on my computer is still in process, probably due to the IT department trying to figure out what it is.
*sigh* I take consolation in the fact that I'm getting paid in the meantime.
Hi, I Boris. Hear fix bear, yes?
Deep Freeze is a product put out by Faronics that completely drops all changes made to the machine once the user reboots. You can set aside portions of the drive to retain data, and issue one-time password that expire at midnight should the user find the need to permanently install "undocumented" programs. This allows the user to run with administrative rights and eliminates a significant portion of support calls that I get from users. Some of the clever abuses I've seen despite this: -users going nuts during the brief window that their one-time password is valid -users installing Bittorrent clients to download "legal" material to their data drive. They harvest the data somewhere else (CD, thumb drive, external hd, network share) then reboot the computer, knowing full well that all traces of the install have been eliminated. This can be mitigated by having the machine send a copy of logs to a network share somewhere on logout.
If they are competent, why not? IBM lets competent and aware employees take responsibility for their own PCs/systems, all you have to have is motivation and desire. Those IBMers that want a managed desktop solution have many options to choose from internally (WinXP, Ubuntu, Debian, RedHat, etc.), but if you want to control your own box (within the constraints of IT security guidelines, suitable for work, etc.), then so be it. 40% of IBM US works from home, so the issue isn't control (or lack thereof), it's trust. IBM trusts it's employees, and your company should too.
Saying that "backups exist" does not address the question of HOW the backups are made when the user can put any file anywhere on their system.
With a centralized system, the users can be restricted to ONLY saving files on their TEMP directory and the servers. Those are MUCH easier to backup and lots of packages exist for that exact purpose.
I work in a small company (5-10 people) and we've tried all manner of methods. Locking things down too much causes problems or extra work (or both). Not locking things down in a Windows world can lead to disaster. As we're fairly young (just over 3 years) we don't need too much IT, thankfully the Open Source world was mature enough for 80% of what we needed. The decision was made early on that we'd go with anything that worked best, provided we could back out and change to something else later on if things weren't working out. This was due to a bad experience with some accounting software (Quickbooks) that forced our Director to keep a copy on his laptop, meaning that when he was on holiday no purchasing could be done. Moving to 'things we can back out of' is by far the best idea we had. I wish we had a few more since.
We trialled Vista and there was universal damnation, even though we barely locked it down. On XP we provide regular user rights, users use Mozilla Firefox (with ABP etc.), Thunderbird, AVG, Windows Firewall, OpenVPN and either Office or OpenOffice. This seems to work fine for most users, those who want more rights are educated on the effects but get them. Our mantra is "You can use any software you like providing it's appropriately licensed, but we only support X on X".
Because of concerns about XP availability we've been trialling Ubuntu Hardy. Even though it's beta (actually alpha when we started) it's been universally preferred compared to Vista and because we've inadvertently developed a predominantly Open Source stack (not deliberately mind, just because we've based on open standards) we've only had to do some basic education on the fact that folder names have changed and on some specific differences with dialogs and menus.
In fact we had more hassle migrating from Office 2003 to OpenOffice than from XP to Ubuntu (trial). We even have non-tech savvy users who prefer Ubuntu because "It gets out of the way and lets me get on with it." - We're waiting for the final release before we finish the trial but so far feedback has been mixed (negative because of the learning curve associated with differences but positive because of some of the differences) with a general preference for XP, then Ubuntu, then Vista or Mac.
The next stage of the trial is to give people full admin access on Ubuntu. The experience has shown so far that users handle Ubuntu more responsibly than XP and tend not to try to install stuff willy nilly or mess around much (although this may be a combination of fear and a lack of access to synaptic). To achieve this we're going to set up our own apt repository with a subset of hardy packages and use puppet to keep the trial system configs consistent. Has anyone else tried anything similar? If so what was your experience?
For a security-conscious machine, absolutely not. I'd be horrified to find out people are processing anything with my social security number, any billing info, etc. on a system where the user is allowed to install whatever they want. Especially a Windows machine. Security should be paramount in situations that are security-conscious.
Otherwise, IT should be a service (and when I did IT for a department, that is how I treated it).
Some people are most comfortable having a standardized setup, with someone taking care of the "technical computer stuff" for them such as updates, etc. For them, they PREFER a standardized desktop with no surprised (i.e. fairly locked down.)
But, others would fight IT every step of the way if they were told they had to be all locked down. I would provide antivirus and antispyware (if they're using Windows), and insist on knowing what is installed to avoid piracy. We had a tape backup system (this was years ago, I'd back up to a disk-based setup now.) I also provided a file share for people to use to exchange files easily. I'd make the IT-standard apps available for the user if they want them (E-Mail, openoffice, etc.) so they aren't having to pick everything themselves if they don't wish to. Otherwise, let 'em have at it.. and if they break the machine, I'd take a crack at fixing it but if it's too hosed, just install from the baseline install.
This probably would fall mainly along departmental lines, and some departments would have to be locked down for security reasons.
At least where I'm at, users have not reached a maturity level to match whatever Web 2.0 has to offer. I'm not even admin on my own mail/internet machine, and that's fine with me, although I'm one of my company's leading software arhitechts.
The first reason for locking down user PCs isn't piracy. It's malware.
Your organizaiton is at great risk from all sorts of malware. Look at the http://www.informationweek.com/news/showArticle.jhtml?articleID=207001073&subSection=News Hannaford incident, though it isn't precisely on point - their SERVERS were compromised. I wonder if the vector was actually a workstation, though...
But workstations are the most obvious target, and permitting users to install anything they see around the Net is asking for trouble. It's bad enough that we have to watch over Outlook and make sure it doesn't install with default 'view attachments' or 'execute'... Another reason to lock down the workstation, since if we let the user reinstall Office components on their own, will they get it right? what if they decide to install the latest anti-spyware gizmo cause it's the best'...
It depends on your level of paranoia, and responsibility. If you work for a firm that needs strict controls, that pretty much settles that. if your firm is littered with competent users, like a Google, well your job is that much easier.
Until somebody screws up bigtime. Then your job is hell, satisfying your bosses who want this to 'never happen again', and your users who will proclaim themselves 'smarter than that', despite recent evidence to the contrary.
and all this is in addition to the usual antivirus/malwere filters, firewalls, intrusion detection, auditing, blah blah blah.
Really, your business needs drive the level of lockdown.
deleting the extra space after periods so i can stay relevant, yeah.
1. User just deleted a "critical" data directory/file.
2. User just deleted an OS directory and their computer will not run.
3. User kept everything on his/her local drive and it just caught fire.
4. User wants an email from 3 years ago that user had deleted from his/her last computer 2 years ago.
5. The legal department wants all email to/from Mr.X, Mr.Y and Mr.Z.
6. User keeps getting infected with viruses.
With centralized control, all of those are simple. Once you start allowing users to choose what to run, how to configure it and so forth, all of those become major issues.
This first step is some simple instructions to the users beforehand:
- "Look at your computer and know that it is going to fail. It is just a matter of time. Backup your data like your life depends on it. When it goes 'bonk' you don't want to be left crying in the closet."
- A corollary the the above: "Put all of the office's data in one location so you only have to do one backup. It will also insure that you don't end up with multiple versions of the same document."
- "Boring is good. A boring computer is one that just starts up and works every day. A cool, exciting computer has cool, exciting problems. Keep it plain and boring."
- Related to the above: "There is nothing free on the internet. If you can't figure out how they are making the money to pay the programmer then they are doing something that you don't know about and aren't going to like."
- "Run the Symantec Corporate Edition (or the new Symantec Endpoint Protection that we are just rolling out) and no other antivirus software. More then one antivirus program will cause problems."
- "Don't run any resident antispyware program in the background. If you do have a problem try the following: Spybot Search & Destroy, AdAware, SuperAntiSpyware (horrible name...), and TrendMicro's Webscan. Remember that they really are out to get you so stay with business related sites." (We have found that running resident antispyware programs generates more support calls then spyware infections do.)
Those are the basics of preventative training. Now onto the specific answers.
(1) "Let's go to your backup... Not backed up? Lets check deleted files... Not there? Too bad. (we don't actually say that) It is lost (Now you should repeat the training mantras from above so they learn something for the future.)"
(2) "You can send the computer in or I can send out an imaged HD and we will walk you through putting it in. Then we can remote in and transfer your files across to the new drive. What version of word processing do you use because we can preload it before we ship the drive. Do you have the install disks for your software? If it isn't a disk that I have in my library then you will need to go get it."
(3) I have never had a computer catch fire. (10,000+ and counting) The closest thing were the computers in an office in Chicago that were caught in a highrise fire. The data was all recoverable. But to get to the point: "We will need your backups and I will send you an imaged HD and/or computer. You can send the drive here and I will attempt to recover the data..." Any lost data is dealt with like the previous examples.
(4) "Sorry it is gone." Suggest that if that is important to them they will need a sophisticated archive rotation scheme. If someone wants this we will write a DOS batchfile to help implement it for them.
(5) Email retention isn't a problem in a small office until it is mandated. Then we would simply come up with a backup scheme probably using a batchfile running on a schedule.
(6) The user pretty much learns after the first or second infection. Infections really don't destroy data anymore like they used to. That went away about 3 years ago. We always council people on safe computing and it is exceedingly rare when they don't listen. In the couple of times where they kept doing it we added Spybot or similar to run resi
I pretty much manage my own PC at work. Now we have site licenses for all the Windows and Office installs. I don't track my licensed software on my own, it goes in the DB with all the other information on my computer. Now I did that myself and have complete control over my entry in that database. Fortunately, if I need software, it's purchased for me and a few other co-workers. eg I run F8 as a base install with VMware Workstation to handle testing and windows (XP, Vista). The rest of the department can't really touch the host OS (I'm not nice enough to set my root password to one of our local admin passwords) But SMS is still able to patch the windows VM's and I manage patching the host.
So, I get my host OS that gives me most tools that i need to be happy and still can say that I have a fully functional and compliant windows installation(s).
Supplies!
back in the MS-DOS and Windows 3.X era there was no good way to prevent users from administering their own PCs. It was a big mess, I know because I worked in IT back then.
Some users ran FDISK and deleted their hard drive partition, they found it in the C:\DOS directory and started with programs starting with A, and once they ran up to F they ran FDISK.EXE and it asked them 'Warning this will erase all data on your hard drive, do you want to continue? Y/N" and they hit "Y" and Enter and it destroyed everything they worked on.
We found that a pirated version of Johnny Castaway was installed as the default screen saver and passed around via floppy disks. It had a virus in it which got spread around a lot. Users were supposed to run regular virus scans, but they never did. I am others had to go around, update each antivirus program, and scan the PC to remove all of the viruses on them.
Somehow departments didn't tell us they wanted MS-Office 4.3 but somehow the users installed a copy of the software on their hard drive despite their department not paying for a copy of it. We had to buy bulk copies of MS-Office to cover the extra copies.
Some users paid for OS/2 2.0 and others used Windows 3.X and DOS, but somehow the OS/2 users decided to format their hard drive and install MS-DOS 5.0 and Windows 3.1 on them without telling us and violated software licenses by not buying a copy of DOS or Windows on IBM PS/2 machines that came with OS/2 preinstalled. Not only that but by formatting their hard drive they lost data files that OS/2 had on the HPFS file system that they never bothered to back up or copy to our network drives (Novell network back then).
Others decided to just delete random system files to free up hard drive space. Then complained that they got a lot of file missing or invalid messages.
At least Windows 9X and NT added in admin and user access to protect users from themselves and allow IT or Super Users to manage the system and software.
I worked for a law firm that decided to give all partners administrative rights to every system on the network. It wasn't fun to find that partners had loaded our ASP programs into Frontpage and mangled the HTML formatting codes so they wouldn't work. Not only that but they checked out VB source code projects and overwrote them and bypassed the version control and sabotaged our work that forced us to work extra weeks and months to fix. Not only that but in Windows 2000 if a programmer doesn't have admin access some developer tools don't work right or are disabled. So us programmers got set with user access and then couldn't do anything unless we logged on locally without using a domain name to run our developer tools. But then we didn't have access to network drives and servers, etc.
From my experience giving users admin rights is almost always a disaster that forces IT to work harder to fix the messes that users cause by messing with their systems. Nine times out of ten they install games like Bejewled after getting admin access to their PC.
Oh yeah most of our servers and workstations got infected when a manager had admin access and opened up the wrong email or visited the wrong web page and then the virus spread via the network to infect everything else because the manager had admin access to all systems on the network. In fact I remember one of our manager's account sending out the Lovebug emails 12 times a day during one such infection.
Learn from Unix/Linux don't run everything as root, only give the IT people admin or root access.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Use the term weasela in a negative manner...
8')
j/k
As for your IT/Programmer rules, I applaud greatly for that stance. Even if you do know more than the IT guys, cut em some slack, they make crap for $ and usually don't have the training needed to do their job. Granted some think they know it all, so what? You know that you could write a tunnel straight to your favorite pron site and they'd never know. Just do it and don't whine. Also, when you befriend an IT person. Suddenly you find your life getting easier. Need a port unblocked for some R&R time? Not gonna happen if you piss em off!
How much is your data worth? Back it up now.
Second story down...
To the best of my knowledge, nothing so far has come of this except for the resignation of the Capitol Complex Administrator.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
Just like there are moron users and dangerous users who think they know what they are doing, there are moron IT staff and dangerous IT staff who think they know what they are doing. Then there are the IT people who are in love with bureacracy or operate with a cover-your-ass mindset.
Bottom line is, if the IT people suck then they should get the hell out of the way. If they don't suck, gladly let them do their job.
Users as in your aunt Tillie who was hired to sit at the front desk or users as in the developers?
:-)
I work as a developer and I couldn't possibly imagine switching to Microsoft One True Platform, Selected By Company Management. I pick my platform, I maintain my platform. I tell you I need a piece of software X, you buy it for me. No "going through the management chain" or any of that bullshit.
This might sound a bit arrogant, but I won't go to accounting and tell them how we should do the company taxes whereas it's quite common for accounting to do decisions on developer tools. Quite often the answer is "Sorry, that's quite expensive and we won't pay $400 just for the fun of trying out a new tool". Well, guess why there is pirated software on the developers' machines
For some reasons startups seem to understand this and large companies don't. Might be the developer-auntie ratio.
When i came to my current job, most of all of the users were local admins. This caused such a headache for those of us in the department. They could install any application they found on the web, they could install 10 tool bars in the browser and then ask why is it slow. They would install what they thought they needed. Then they started sharing out files and folders, then wondering why it was slowing down there PC, and why such and such could not get connected it was the end of the world. The users are just that, they do not need to be able to change an IP, install things. I am sorry but to help things work, and flow, they need to ask and get approval to install things.
This would work well with a thin client / server-based computing. Users buy and manage their own endpoints (laptops, home PCs, etc), and connect to corporate resources via Citrix, Terminal Services, or some other virtualized computing environment. Only input (keys, mouse) and output (screen, video) is exchanged between endpoint and corporate resource. connections can be locked down so that client drives, printing, clipboard mapping, etc, are locked down - or not depending on the security vs. functionality balance chosen by the organization.
This is already happening in a lot of places. Users provision their own machines, and download the bare minimum in order to connect to corporate resources. some municipalities are even offering kickbacks to companies who allow users to work from home, alleviating the burden on rush hour.
There is not much difference, really... in the end results.
The Lotto is a big gamble where stupid people pour in a lot of their hard-earned money, only to see it ultimately end up in someone else's hands.
A 401K plan is a big gamble where stupid people pour in a lot of their hard-earned money, only to see the all the stocks it was invested in dry up and blow away, and all that money ends up in someone else's hands.
We're a relatively small software group in a massive global telecom, but in a remote office (luckily). Our corporate laptops are pretty much owned by IT, they load it, track it, audit it, etc. We also have development desktop boxes we can do whatever we want with, most put Linux on it and are completely self administered. The only real risk of this is that someone would abuse and compromise the network. Luckily we're all "nice" users, but I would imagine all it would take is one rogue user to blow our privileges and we'd be back to working on the corporate controlled hardware and software. The larger the group gets, the higher the probability gets that someone will abuse it.
You may find my appearance and demeanor foolish, but it is you who plays the fool.
Cause all companies have employees like Google's, so it must be the right thing to do.
I bet you can't wait to see how awesome and productive I am when I plug my laptop into the network after my sales trip last week. Lots of public IP's in lots of hotels for me. (Public IP costs more, so it must be better.)
In fact, as a sales guy with no concept of security, I'm far more productive with cold-contacts when I'm my own sysadmin.
Just yesterday, I offered most of North America half of prince Kazblekistani's inheritance. I plan on offering the same to Europe this afternoon.
</Sarcasm>
wow worst insightful post ive seen in my whole life... should have been off topic or didnt read the memo....
Not really, unless you have a company full of morons.
1. I don't see how this has anything to do with a users workstation. if there is a critical data directory or file it should be on a critical company server and it should be backed up. No one said you had to let the users run free on the COMPANY machines; just their own. Remedy: fire yourself for being stupid and not using privelages on your file servers
2. if user is that unintelligent maybe you should delete them? If you give them these privelages they have to manage their own backup practices or deal with reinstall. or rescue. That said if your user manages to delete an "OS" directory you just learned they cant be trusted to stay out of things that arent their business and that they won't ask for help for things they dont understand.. fire them or lock down their machine...
3. I fail to see how this is affected at all by the topic. whether or not your laptop / local workstation is "MANAGED" by an IT dept is irrelevant. the damn thing is DEAD and gone either way. If your employee is too stupid to do any backup then again, fire them. very simple.
item 4 and 5: simple it doesnt matter what the user does on their end. Company has an email server and that email server doesnt delete documents. Period. user connects to server with whatever client they want that speaks pop or imap or whatever... but the SERVER dissallows actual deletion. problem solved.
6. Fire the user; they clearly aren't intelligent enough to be benefitial to you. or remove THAT user's privelages to maintain their computer. better yet just throw linux on his/her machine and laugh at them.
Centralized control has nothing to do with any of these issues in the context of this topic and thread. You don't need to centrally control a persons machine to achieve any of these things. You need some central presence and central controlled servers. This is very different from central control of EVERY MACHINE and the users machine.
Whether or not you lock down every single 'user' machine I would expect that you have a company email server, company firewall, and one or more file servers. You can also have policies that state clearly when backup should be performed, what should be backed up, and legal consequences for not doing so (esp if a case like this happens to you)
but i doubt youll have too many of these problems because many talented developers would never want to work at a company that short sighted.
As a developer I couldn't get anything done if I couldn't "manage" my own machine. Maybe that approach works great for random clerical people; but i feel like this wasnt aimed at that sector.
"Jazz isn't dead, it just smells funny" ~Frank Zappa
EdelFactor
Why giving control to people is directly equated with Piracy? You mean people would not really be interested in, er, working? By allowing people to install their own stuff is one thing, and not monitoring everything they install is another. Define a clear guidelines/rules, let them install whatever they want, keep on checking stuff on the computers on periodic basis (remove torrentwares, unlicensed softwares etc). Of all things, why you had to go and choose piracy? Never mind... I see you are +5 insightful.
Actually, trying to teach the IT department to create software can be the biggest challenge. Among the end users there will always be a few people that can write their own software, and as they are usually single-mindedly pursuing their goal without being distracted by mountains of paperwork, they sometimes do very well and often are more than adequate. They may be sloppy in their technical practice, but often not sloppier than nominally qualified programmers (alas), and at least they understand what the software is supposed to do.
The problems begin when you try to hand off software development and support to an IT department that has 1 programmer, 2 documentation managers, 3 database administrators, 5 testers, 7 security managers, 11 project managers, 13 general managers and 17 generally useless people. The teeth-to-tail ratio of general IT departments trends towards to the truly awful.
What the IT depart fails to realize they are support. Let me clarify S-U-P-P-O-R-T. The IT department can make recommendations and argue for or against a policy but they shouldn't dictate how I do my work. My key tool is my laptop.
For the less experienced computer users they IT department should offer whatever services including a complete image for the OS etc.
For those that want to fly it alone, they should establish a minimum policy for security products (say anti-virus - although I cannot remember the last time an anti-virus software actually picked up something - and maybe firewall) but that is about it.
Right now my company has decided that 15 minutes and the screen saver must come up, no grace period. So as long as my potential customer don't dwell on a presentation page too long, all is good.
Actually its really not that bad, when the computer F's up, the client is usually understanding, knowing their IT department does equally boneheaded things TO them. We laugh together. What is really cool though is when they push down an update which then pops up ever 10 minutes asking to reboot. Oh yeah, and reboot takes 6-8 minutes because IT has determined my office is too small to warrant a local domain controller.
Bottom line give your customers options! The secretary might not mind handing over full control. I can't afford to.
TODO: create/find/steal funny sig.
One day 15 years ago, I started a new job. I walked in with a NeXTStation Turbo. The IT guys threw up their hands and said "You're on your own, buddy." I have been my own administrator ever since.
Sure, they can manage their own terminals. But their terminals have no hard disk, no removable storage, no USB and no internet connectivity. No problem.
As someone who has worked for 10 years as a network admin, the answer is NO.
Yes, there are special cases out there. But they are special cases. By default, the only policy that works is to lock down a machine and grant access as needed. Too many people treat an unrestricted machine like a "rental." They abuse it. They don't take simple precautions because, hey, it's the company's machine. Given a chance, they will treat it as a personal plaything.
To deny these truths is to deny basic sociology. And as I said, 10 years of first hand experience that is amplified by every competent admin I know.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
The idea is though, that they become their own tech support. They buy their own hardware/software, do whatever they want with it, and when it's broken? They have to fix it. If an employee turns in no billable hours for several days because his computer is down? It's his fault---it's then up to the management's judgement as to whether that employee is doing his job well enough; fire him if that's the way to go.
Users will be much less likely to mess things up if they know they can't just blame their lost productivity on "computer problems", and if their job security can be strongly affected by what they do to their machines.
No. You can try it for a while then instead of having one person screwing things up you have allot of people screwing things up. Oh and after you break down into a gibbering mess and reinstitute controls be prepared to have your life threatened for enforcing a complex password policy.
These are serious questions:
Do UPS drivers change their own oil?
Do corporate attorneys and accountants take out their own trash? Do they sweep the cafeteria after lunch?
Should police officers tune up their own cruisers?
Should surgeons and doctors clean the bathrooms in a hospital or fix the air conditioning when it breaks?
All these people are hired to perform their specific jobs with their specific set of skills. Do you think these people would be more or less "productive" by doing jobs that are usually left to others?
IT is no different. IT should be left to those with the necessary skills. Let the other employees do the jobs they were hired to do.
-ted
I think this is a great idea. Even though I mostly delete blank pages sometimes my machine skips a beat. If I could get an mb with dual GeForce 8800 GTX SLI and 2 gigs of ram with a game pad I think my production is likely to increase ten fold, especially with dual flat screens! I can't wait to install my games, errr, kidding I mean teleform.
"I guess I'm gonna fade into Bolivian."
Given that it's a work computer, it seems pretty unlikely that they'd be downloading tons of pirated games. At least, it seems unlikely they'd get away with it; there's the corporate firewall in the way, and there's the fact that they'd then have to hide the very existence of those games from everyone else.
So you're basically assuming we're talking about people pirating Photoshop, Office, Visual Studio, etc.
And frankly, there's a finite number of apps anyone actually needs at their job, or even apps they think they need.
So give them a stern lecture about piracy, and a large budget to go buy software with. Given that, what users are actually going to be running pirated software?
Don't thank God, thank a doctor!
Group policies lock EVERYTHING on our high school computers out, to the point where all the GPs themselves fuck everything up more than the users could ever do with admin access...
So simple things like adding a printer or using Task Manager require a call to the 2 IT people in the ENTIRE DISTRICT to help.
Calculate the cost of IT.
It's hard, but come up with a number. Amount actually being spent on IT, amount you'll inevitably have to pay in lost productivity (if too locked down) or in chasing viruses (if understaffed), etc. Compare that to the cost of per-user budget and training.
Now, look at things like: How much more could you pay a reasonably computer-literate person to do various jobs? How much might it cost in training to salvage some of your workforce?
But honestly, some of the things the "unwashed masses" do... Look, this is your tool. You depend on it -- you rely on it all day, every day. Any other kind of tool, you'd be given training, and you'd be expected to know how it works, and not screw it up in stupid ways.
Would you hire a truck driver who didn't know how to drive a truck?
At the very least, give them a test to prove they're savvy enough to do it themselves.
Oh, and remember, with the power comes the responsibility. If your users are admining their own box, they don't get to come to you when it's crawling and BSODing. If they do, you get to reformat and put them back on the old-fashioned IT lockdown.
Don't thank God, thank a doctor!
I suppose it depends which large company you're talking about, but there are large companies which function as a conglomeration of smaller ones. In fact, many "large companies" do this in a pretty dysfunctional way -- various managers and departments stake out their territory and do things their own way, and as long as it works, the Large Company doesn't want to interfere.
Oh, and maybe you missed it, but Google is doing this. Do they not count as "sufficiently large"?
Don't thank God, thank a doctor!
There are only a few situations where I can conceive this actually being needed, and those situations involve tech-savvy "IT professionals", or niche (very niche) creative folks.
In 9 out of 10 (or more) situations, what is on the desktop should be decided by whoever is ultimately responsible. Set a slim baseline, and work from there. Sure, there can be wiggle room, but there really shouldn't be a need when you've got Windows systems running on an AD domain (or some of the other nicer management tools out there). You can very finely tune what can be done, per user and/or machine, and grant "special" privilege when it is actually needed.
From what I've seen, the vast majority of people who bitch about not having control of their workstation are bitching because they've already got more "control" than they can manage, and they've gone and botched it up by installing screensavers and malware without realizing it.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
OK, are we talking about computers used by non-IT employees, or all departments? Maybe it's my youth showing through, but as an IT employee, there's no way in hell I will ever work for a company who polices the software I run on my machine. I would not last a week in such a restrictive environment without wanting to bomb the place. I don't run pirated software, but I do sure as hell run enough software that does not deserve having to go through some sort of approval phase.
My work computer, my control of the machine. My biggest beef with corporations is the "one set of rules for everyone", which restricts people who know what they're doing all to hell, to the point where work efficiency is down 50000% because they can't do things their way).
Now, if you're talking about idiots who download spyware IE toolbars, screensavers, who open every exe file that crosses their path, etc., then sure, police these people. Kick them to the curb and hire someone else if you have to. But for the love of Pete, please don't just lump everybody into one group labelled "corporate employees", and expect Mr.Knows-what-he's-doing to be treated like a child because other employees are ignorant or just plain stupid.
1 hour of lost productivity for 1 year is much worse than 5 full days of no work because of no computer.
While driving Warwick Ford (CTO of Verisign) to the airport a few years ago, I asked him what he thought was the greatest challenge with respect to security, and he said he thought it was the insecurity of operating systems. I agree with him. Further, OSs are way too complex to administer for the average user, and if you (unknowingly) administer it improperly, it is insecure. Therefore, it is almost academic that average users cannot be trusted to maintain secure OSs. Ergo, if an organization values security, average users should not administer their OS. I would go even further, that the average user should not even have an OS at their disposal, given that so many exploits are the result of inappropriate usage of applications (such as browsers). I am not advocating going back to the days of VT 100s, but it is a sad fact that today's situation, with non tech-savvy people using general purpose insecure OSs and applications, that organizations are constantly at great risk, and it is a game of Russian roulette: something really bad and embarrassing for the organization will happen if the organization is merely a little bit unlucky. That is not a good place for an organization to be. (There is some kind of big corporate security disaster story in the news almost every week.) Desktop systems should be completely locked down in terms of what can be installed, and what the configuration is; and it is better if users who don't really need a desktop OS have instead a thin client so that they cannot run anything outside of the sandbox imposed by the server.
If OSs and application security ever improve, I will change my mind.
It is also ironic that the industry realizes that people won't pay for the security that is needed, or tolerate its inconvenience, yet the insecurity of today's systems is responsible for huge indirect costs to all of us.
I've been doing exactly this since around 1995. I started with a small company in 1994, and they gave me a Gateway laptop. After about 10 reloads of the OS, due to numerous driver problems and config nightmares, I went out and bought a Mac, and gave back the Gateway. I've provided my own Macs ever since, with every company I've worked with/for. When I joined Sun in 2003, they gave me a Toshiba, and it got booted maybe 1-2 times a month for apps that just HAD to have Windows, and even less often now that I have an Intel Mac that can run Windows virtualized. I support myself from an IT standpoint, and my productivity is much higher.
I'm thinking there could be an acceptable middle ground here. Give the non-technical users standard hardware, standard software install, no authority to mess with the workstation they get. Give the more knowledgeable users fairly standard hardware and let them choose and maintain the software within certain reasonable guidelines. If they break the software, they get a certain amount of time to try to fix it, and if they can't get it up and running they get their machine re-imaged with the standard set of software so they can get back to work. If they end up putting the same software as before on and it breaks again and they can't fix it, re-image with standard software and suggest that they re-evaluate their choice of software. If they still stick with it and it breaks again, they get demoted to non-technical status and can no longer mess with their computer's setup.
Of course, I can see this sort of thing causing problems where people (especially those who think they know it all but just fuck everything up) complain about how Steve over there gets to maintain his own computer but they don't, but to a certain extent this might be covered by the "screw it up too much and you lose your privileges" system.
I think it should be a mix of allowing more experienced users more control and others less. I work on a corporate help desk for a large company w/many many many PCs. I find that the robot management of PCs sometimes causes more problems than it fixes. PCs slow down because their overloaded with corporate monitoring software, lack of regular maintenance that experienced users could do if they had access.
I've seen many systems take 15 minutes or longer to boot. I've had to remote into PCs to delete user profiles for people who haven't touched the machine in years. One time I delete several hundred profiles off one PC.
*It's not what you can do for the Dark Side but what the Dark Side can do for you!*
I'm not an IT worker, but I must say sometimes it would be nice to be able to install a program or two to make my work-life easier. I do a lot of writing and research at work, so for instance, a nicer clipboard app than the one built into Windows would be nice. A word processor other than Word would also be nice - there are tons of formatting bugs, which alone drive me nuts. I don't format anything until everything is done but readjusting everything so it "fits" properly on a 20-page document is a PITA I don't need.
Maybe a small 5-10 person office it would work, but past 100, you better have those machines locked up tight and strict policies in place to avoid Mr. Office Know it All from installing a pirated copy of Office loaded with a virus.
"Slashdot, where telling the truth is overrated but lying is insightful."
As long as they don't call the help desk when they have issues I'm all for them doing their own upkeep. One of that hardest things for help desk's (or anyone really) to do is support systems that have any number of possible combinations.
I personally don't run the supported install at work, but I also don't expect help desk's help if I end up doing something stupid.
We hire the finest of the finest of IT staff and all them are Novell certified and have extensive training. The management policy is to only buy equipment from IBM. The company runs all software on the mainframe. The workstation screen theme is battleship grey. Keystrokes are monitored by HR. Numerous biometrics are used. Searches are done by security for electronic devices coming or going from the office. Everyone is happy because they are safe.
It's really not a hard concept. You don't, for example, expect people in the aircraft industry to just make up their own processes for maintaining an airframe the way they like it, or supplying their own tools and spare parts for the purpose. You don't see employees at an oil refinery or a nuclear reactor just sort of reinstall their own process control systems when they come on shift. You don't see hospitals encouraging surgeons to autoclave their instruments however they like.
Why is that, do you suppose? Employers could download the responsibility onto individual employees. But they don't. I don't claim to have the definitive answer, but I might observe that, in most industries, doing things randomly is risky. Specifically, it's risky for the employer. So, rather than suffering an exodus of customers, or massive litigation, or the inconvenience of part of the neighborhood just blowing up, employers generally define the processes and supply the infrastructure necessary. It's generally a more effective way of causing predictable outcomes than just letting people randomly do stuff.
I don't know where the perception arose that it might be a good idea to make a special exception just for computing infrastructure. Just give everybody root? It probably came from the same software vendor who used to assure us that because its customers don't consider security important, security itself must not be important. Except that it always was important, and now it's time to wake up.
Parity: What to do when the weekend comes.
Why does this thinking apply so frequently to the IT staff? People seldom second guess the accounting department during tax season. After all, they're professionals. No one bitches that they could do a better job cleaning the toilets than the janitorial staff. But when your XP machine (That you *HAD* to have local admin on) grinds to a halt, all of us sudden you get permission to go on a tirade because your sister's daughter's boyfriend "knows all about computers" and told you it was the IT department's fault?
The right answer is, as has already been said, "it depends." In the environments that I manage, you'll get power user status on a desktop over my cold dead body. Yeah, I've had to hunt down permissions issues to make programs work (instead of giving out local admin, which would have fixed the problem, but lead to many more), that's life in a restricted environment. In the places where I've worked where admin access on windows machines has been tossed out with no regard to security or stability, the end users have *always* ended up making more work for the IT staff. Always. Cast it in stone. There may be a few users who could genuinely use full control of everything they do, but those people are few and far between.
We focus on the times that a local user could have managed their system better. You *can't* hear about the number of times the IT department did a better job that the local user. Bob from accounting doesn't know that thanks to the WSUS server, his laptop wasn't vulnerable to the Sasser worm that was blasting away on his laptop for two hours while he 'worked' at the local starbucks. The collections department doesn't know that thanks to the IT department they *didn't* lose a weeks worth of data when a drive failed on a properly backed up server that resides in a well designed datacenter. What they all do know is that the IT department are assholes because they don't let us get out to facebook and play scrabulous.
There are some people that if they don't know, you can't tell 'em.
If your organisation is large enough to know what it's SOE is, then IT's job is to understand which users need non-SOE assets and how to best risk manage them. I have, with IT's assistance set up "black" networks of massively non-SOE equipment. Because I _needed_ x64 with 6G of RAM running CAE software that was too beta to be anywhere near the "approved software" list.
Likewise, most of my technical staff ran additions to or variations of the SOE. (eg. adding Perl and Cygwin, MathCAD, Mathmatica, browers other-than-IE)
Given that the IT dept. was sane (rare, I know) we had a continuous process of risk analysis and qualification which allowed us to slowly move our non-SOE software and hardware from the "fired if connect it to the network" through "other side of that firewall, no services except mail & one drive" to "approved option" status. As with anything, it's a case of work with the human closest to you, make sure she/he looks good in front of her/his boss. And say "thank you" in good measure.
And most users are clueless as to the pain of supporting them - particularily with the amount of malware/EULAgrief out there.
The best soln to any real IT issue is to have the CEO operate from your office for a while.
I work in in academic environment where it's pretty much essential that many users have admin privileges. We do a lot of high-end scientific computing, so hardware and software requirements vary a great deal from one user to the next. Still, most of the hardware procurement is done through the IT department, and they do a good job. Software, on the other hand, would be a nightmare if it were done that way. The IT staff manage the security software and policies centrally, but individuals needs to be able to install whatever software we need, including many programs that we write ourselves in a variety of languages for our own needs as the need arises.
For day-to-day IT problems in this environment, it also smooths things along a great deal that we all have admin access. face it, the IT helpdesk is a bunch of newly minted, underpaid graduates. Many of the rest of us have been programming for decades, and while that doesn't make us IT or security experts, it does mean that we've picked up at least as many of the basics as the helpdesk staff have.
I did some contracting for a large but surprisingly enlightened government department who had a policy I thought worked really well.
By default, all the PCs were locked down and they were all supported by IT. You could apply to have more control over your PC if you needed it (and as a developer I did), but you and your supervisor first had to sign an agreement taking responsibility for your actions.
That responsibility included not uninstalling things like antivirus and remote management tools, agreeing not to install unlicensed software, always using backed up networked drives for important files and basically fixing anything you broke. If you stuffed your machine up, your area was charged by IT for the machine to be reimaged and it would probably be locked down again. If you installed unlicensed software or through negligence did something like introducing a virus you faced disciplinary procedures.
The policy worked great. Most users weren't interested and stayed locked down. Competant users were happy to take responsibility in return for more control and those that thought they were competant but actually weren't were usually stopped by their supervisor before they got "low lockdown" privileges.
One of these days I'm moving to Theory - everything works there
The article is not about "letting users run anything they like, anyway they like". It's actually about IT departments discovering that
a) one size does not fit all and
b) the end user might actually be able to do some of our work for us.
Unfortunately, this IS news to a large number of IT czars around the world, who spend too much time at lunch with large vendors' salesfolk.
-- Butlerian Jihad NOW!
At my last job, the hardware was company supplied. I had Local Admin rights and was able to install software (and connect the prototype mobile phones I needed to connect as part of my job). Security updates and virus stuff was all done by IT. There was a list of software that was banned (p2p, spyware, stuff like google desktop and GoToMyPC that was a security risk etc) and rules about not installing stuff that you didnt have a license to. Installing stuff like Firefox was allowed.
400 employees at peak.
It really depends on the shop though. I don't suppose my policy would go over too well at a bank.
As for problems that arise because of this, well... I get paid to solve them and not bitch about it.
I don't see too many technical issues that I can pin on non-standard software. Liability for piracy is a bigger concern, but my users are generally pretty good about that. Being able to purchase what they need to do their jobs without too much of a hassle helps. Having all your engineers run linux helps too as most of what they'll install is open source.
asking a bus driver if passengers should be allowed to drive there own cars. What would you expect as an answer?
Every single user at Apple is responsible for his or her own basic support, with admin privileges. Not just the developers, not just the hardcore techies, but also the secretaries, salespeople, attorneys, etc. And guess what? It all just works, across a wide variety of hardware and OS upgrades. There are maybe a dozen or so internal help desk people answering the phones. They spend most of their time handling what would be Tier 2 or tougher problems in most environments. (Then again, they must have some of the toughest jobs in the business. Half the time they're taking calls from ordinary folks, the other half they're taking calls from the engineers who wrote the OS or designed the hardware.)
--Paul
I'm not sure if the rating system is messed up and I'm just seeing the ridiculous comments or what, BUT for networks with more than 50 PCs this idea of letting users manage their own desktops is at best counter productive. 1. Users install things they dont need. 2. Users install things that are damaging to themselves and to their computer. 3. Users rarely have the adequate insight to the overall picture. IE why would streaming my favorite TV or radio station affect anyone else on the network? 4. Users do not have the adequate knowledge most times to make intelligent decisions. Example, I have a user who cloned his own workstation and renamed it. Not knowing that the SSID wouldnt be different between the two and piss WUS off to high heaven. 5. Users are not IT professionals. I dont hire the mechanic to come install my programs and the mechanic doesnt hire me to rebuild transmissions. And as far as hardware goes, I think I need an XPS system with 4 32" plasmas. I could use them ... will I get it no, because I live in a world where I have to beg borrow and steal to get a server for new requirements I have to meet let alone let users decide what hardware they THINK they need. Not to mention approvals for device drivers, long term support. I'm just really floored guys and girls, is this a tech web site or just old guys who think they know IT.
Jason
"IT" proper is one manager, one admin, and a handful of developers. We're given some hardware (decent) and told "set up a system. You need to be able to do X, Y, and Z" (say, Subversion, Java development, and Jabber). There's a pile of vendor Windows CDs, a pile of Linux CDs, or you get someone to burn something for you, and you go to it. Problems are few, complaints are pretty much nil, and the only big problem is when someone manages to completely hose their own machine -- at which point they're expected to fix it themselves or reinstall real quick so they can get working again :)
But yeah, the reason it works is because
1) We all have clue, and
2) We're not big -- in the sense that the people in charge of creating "IT policy", the people in charge of implementing it, and the people who have to live with it, are all within earshot of each other.
And for the past decade or two everything has been fine. There are a couple users who use some of the extras, but most are on work and maybe browse.
Nice thing about the Macs are that a lot of the "crap" on-line just isn't compatible so they ignore it.
My worst problem is iPhoto, which looks slick but is a nightmare behind the scenes making lots of archival copies of images (fills up hard drives real quick) - just waiting for Picasa for the Mac to arrive...
Though my plan is one day, in a few years) to do thin clients with LTSP, most of what we do is data, web surf, word process and some light DTP, all could work under Linux. My office DB I'm writing on LAMP and the admin department is getting an accounting system that is also web-based so many of the hurdles are going away. We don't have any investment in Exchange, etc. Compatibility is our only issue, and for our office we have one Windows Laptop setup for accessing/opening those platform specific reports/documents. (though it doubles as a Linux PC for faster Scribus than what the Macs can do).
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Reminds me of a video I seen a while back...
Trusted Computing? Yes or No
http://www.accountkiller.com/removal-requested
To deny these truths is to deny basic sociology. And as I said, 10 years of first hand experience that is amplified by every competent admin I know.
I supposed it depends on the society then. I used to do support at a medical center with about 2200 Macs (pre-OSX). The users were pretty much self-sufficient and there were 4 support folks to help the ones that got stuck, or to deal with hardware problems.
There were a *few* problem users, but they were warned by management and usually stopped, and regardless it would have been much more expensive to have a dozen more support staff to lock everything down.
This happy situation changed once Windows worked its way into the picture, so I think it's as much a system fragility problem as anything.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I won't work at any school that doesn't let me install LaTeX and Scribus on my computer. I refuse to use Word (its quirks and limitations drove me batty years ago). I'm an excellent teacher, so I you want me to work for you, you have to let me install my own FOSS.
I'm sorry, but the question is stupid. Of any group, Slashdot readers should know that "On A Computer" does not make something totally unique. If your going to totally lock down their computer because they might have illegal stuff there, you should also be locking all of the drawers in their desks. After all, they could have something illegal hidden in there too. I can understand it in a high risk environment, just as I can understand not letting employees bring purses and briefcases into the vault at a bank, but this whole "But it's on a computer!" line of reasoning is plain silly.
It gets even more ridiculous when you start talking about businesses that lock down speakers so that people cannot listen to MP3s or CDs because "work shouldn't be fun", or "they might be pirated". Yet, again they don't ban people from putting the CD wallet with 20 burned disks into their desk drawer.
why even say what you did as the world will never be perfect and the truism her eis I BUY IT ITS MINE, if im stupid and uneducated i get what i deserve. NO RESTRICTIONS that only forces me when i need to do somehting on my own to hack my own stuff. once again its facist control that we need to stop. no more control thank you NO FREAKIN MORE form traffic shaping to telling me where to shit whats next who i have to breed with. OH wait ill be forced to donate sperm and no sex be allowed. why not just turn off the net force everyone to buy a digital box with a PVR and you can only have that much and pay 5 times what you old net cost was , give em a chat you control and a small lil keyboard and have it auto censor and only allow so much talking ( talk shaping anyone ) we cant have you yaping too much
This can and does work. In the technical support department.
You see, if you expect your users to support themselves, they need to have enough knowledge of their machines to do so. Unfortunately, about 90% of the entire workforce does not possess this knowledge.
So unless you're an ISP, and technical support is 90% of what you do, this won't work.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
given usual savvyness that is expected from professional IT crew, attempts to convince users to dismiss root access to the station are granted suspect of compliance with surveillance tactics by employer.
Of course the assumption doesn't apply to tech-support addicts. Where is my antivirus and so.
Read The F*#k!ng article. Google deploys Google Apps, the biggest advice is to get everything possible off of the end-point machines and onto the servers that way you don't have to worry about the above. Also there is tools to insure security suites are installed, etc.
"Where have all the good people gone?" - Jack Johnson
In most Macintosh-based companies I've worked at, users have had full responsibility for their own machines. In fact, one tech said to me on my first day: "Here's your new machine. It's a Power Mac G3. Here's the login info you need. You can install and configure it the way you want. Just let me know if you need any help." Obviously, that is not the norm, but it tells you something about the trust Mac users put in their stuff, and how good it is to work at Mac-based businesses, because you are encouraged to learn everything about your tools.
Beauty is in the beholder of the eye.
You insensitive fool! The politically correct term is "the learning disabled", not "users"!
What about Semco? They have no IT department (at least not at the time the last book was written). Let users take responsibility for their own machine... If they can't use it then they have to use pen and paper. If one employee is more productive because he keeps his computer up and running, he is the employee I want. If you crash your PC, and as a result lose a big contract, that is your own fault. So Let users manage their own PCs but you also have to remove the safety net of an IT department.
I strongly support this initiative. For YOUR company. Have fun with it.
In the mean time, we'll be over here, competing with you. Users have no shown themselves to be overly savvy about IT equipment, policies, and configurations in general. So while all hell breaks loose over in your company, we'll be over here doing it the old fashioned way, with professional technical support making informed decisions. Let me know how it works out for you.
If this were Usenet, I'd killfile the lot of you.
Yeah, it's why I run Linux on my laptop - none of the IT folks in my company will touch it!
Anyone who has ever worked in IT knows this is a terrible idea. Most (99.9) of users cannot manage their own PCs.
Several things have already been mentioned, but software piracy is number one.
Turning off anti-virus is another problem.
Installing crap that breaks apps needed for their job is another.
A PC issued to you by your employer is not yours. The less control IT has over the PC, the more work it is. Ultimately, IT will be held responsible, even if the user screws it up. We all know this.
Honestly, this is a a ridiculous article to even have on Slashdot.
If I had my way, we'd have everyone on Macs.
I was the most capable computer user in an audio video manufacturing company and made my own selections for equipment and maintained it for 7 years. I also helped with other computer problems in house on a case by case incident basis. I was not the IT guy but I was the one who knew the most about computers. My own computer was set up as a dual boot with Windows and SuSE Linux and I used the separate Linux drive to back up files for the Windows side. It saved data for me twice when the Windows side was cratered by malware or other problems. I also owned the software I put on the computer so I was my own license holder for the software.
We've been working in a 100% policy free environment for a long
while, being a small team of peaceful geeks. Everyone got to pick his
or her machine, OS, software... Eventually, we had to agree on
moderating our network use (in bandwidth we thrust...) but that's
pretty much it... A "policy" was something we agreed on orraly,
and the privilege to go against it was aquired by saying "mind if I ?"
All was cool until that day, when we started growing and hiring...
Here lies the bomb : Low-life and untalented geeks !!! We ended up
with people intruding our computers, creating backdoors on our
servers, opening ports to download porn...
Here's my advice :
If:
1- You know your people
2- They're competent (YOU think that they are... as opposed to
THEY think they are...)
3- You are ready to spend time to train them and they are willing
to help each other (sometimes, this can be way less than
administrating the whole thing)
4- You can foresee some benefits for any of those reasons:
4.1- Having different approaches on things
4.2- Not having your whole intelligence system to rely on
one person, one system or Micros~1
4.3- Allowing your team to experiment, discover and develop
new competences (that, by the way, you might not have)
If your team (or parts of it...) satisfies this, go on and you'll
probably see that the time you have to spend on administration is
going to decrease quickly as your team gets autonomous... If you
answered no to 1, 2 or 3, forget it... Get them a cute little account
with zero privileges and ponies on the desktop... If you answered no
to all 4s, we're obviously in different spheres...
Have a good one
...with users who don't know what the hell they're doing in the first place. There's no way I'd want this. Most of our users would screw everything up in no time. The other half would have Limewire and a bunch of other crap installed to mess the computer up.
We'll keep things as-is, thanks.
HELL NO!
Most retard end users can barely turn the fucker on, let alone understand software licensing or hardware installs. The only time this is a good idea is if your IT department has a surplus of man-hours and doesn't want people to lose their jobs.
What needs to be mentioned here is that that isn't your computer, it belongs to the company. If there is a problem with, say, child porn, and the powers that be find out your company didn't do anything to prevent such content from being distributed on a company-owned computer, then your company is on the hook the same as your employee.
THIS IS A BAD, BAD, BAD, BAD IDEA. Support costs/demand will skyrocket if they CAN still get help from IT, but if they can't, well, the computers in your company will be completely unusable within a month. This is far too expensive an idea for it to be viable.
Never underestimate the power of stupid people in large groups.
The Job of a WELL STAFFED IT shop is to regulate the COMPANIES assets.. The user should have NO say so in how this job is done. People always think that they need more computer then what is actually needed. Me being an IT manager I do not and will not let user Manage assets or the PC that they use. It was tried prior and all you get are tons of software (unneeded software) and problems that could have been prevented by locking down the systems etc.
BWA-HA-HA-HA-HA-HA-HA-HA-HA-HA-HA!
You're kidding, right? This is a late April Fools joke, right? I spend half my working hours cleaning up luser screw-ups, and you want me to let them ADMINISTER?
The malware writers must be drooling.
Regards;
Hardware, maybe, for laptops... different people have different speed/battery life/size needs. Desktops, you reduce that list to speed (fancy graphics, or extreme storage only rarely pops up as a need), so I think you can just have a list of a couple standard models you update every few months.
Software? Configuration? Are you kidding me? 99% of users should have their boxes locked down tight.
Obviously, special allowances need to be made for programmers, testers, and the IT staff themselves, but even there, I wouldn't underestimate the benefits of standardization; I just think practically it's going to be more limited in scope, it has to be mostly self imposed or you'll have a revolt on your hands.
1. We trust users until they give us a reason not to. But we also arrange things so individual users or machines are unable to do significant damage to others or to the network.
2. We can't afford to support a separate custom configuration for each employee, yet we realize no two will have exactly the same needs. We accommodate this dilemma by installing critical apps, even if used by only a small number of people, on company-maintained servers rather than users' desktops/laptops. Access is via Remote Desktop, Citrix, VNC, X, or a Web browser. Local machines have as little software as possible - preferably none except what is necessary to access the servers. This makes desktops more or less interchangeable, and also greatly reduces dependence upon Microsoft.
3. We have a strong bias toward Open Source and open standards/protocols, unless there is a solid and sustainable business case for doing otherwise (which is very seldom, except for industry-specific niche products). Thus, most users have OpenOffice, Firefox, Eclipse, etc.; if they have a business need for MS tools, these exist, but usually not on local desktops; they get to them via remote access of some type. Laptops users may get their own copies if there's a real need, e.g., if they must frequently work disconnected from the Internet and therefore the VPN.
4. Network traffic is not routinely monitored, but it is logged. Should spam, viruses, trojans, etc., or just plain old excessive use of Internet resources, become an issue, we can look at the logs to get a good idea of what's going on.
5. We try to filter Web traffic intelligently. Sites known to be malicious are blocked as are those very unlikely to have any business-related purpose (e.g., goatse...). Most others are allowed until they give us a reason not to be. We do not for example filter blogs, or Slashdot; these can be useful and work-related tools especially for developers. But if an employee is found to be abusing them, to the detriment of his or her job and/or our company's resources or reputation, then of course we will discuss it. Since our setup is very flexible, so are our options for dealing with the problem. We can adjust filtering rules on a per-employee basis; we can throttle traffic by employee or by port; we can of course punish the employee but we'd really rather not have to do that unless they've seriously and willfully breached our trust.
6. In this environment, we don't really have to know or care what is on users' desktops or laptops - but we also don't have to support it. We can remove admin rights if necessary without seriously compromising their ability to work.
7. One potential weakness: we presently do not have automatic monitoring of license compliance; we could potentially be held liable if a user installed something on a work machine without being properly licensed. Several of the above strategies help mitigate this risk, but they do not eliminate it completely. Naturally we are looking at ways to do so. We're pretty sure it can be done without draconian changes to existing policy, which really does seem to work well for everyone.
Nonaggression works!
TFA cites Google as allowing employees to configure their systems on their own. IBM does the same- there are preconfigured OS images (WinXP, Red Hat, Ubuntu) with everything configured. In addition- employees have to adhere to internal IT guidelines. Everyone has root/administrator access, but are warned not to install unauthorized software. There is also an audit tool that scans your system for adherence to rules (password strength, no shared folders allowed on Windows, and no P2P software). OS and other patches and fixes are delivered by an in-house system that replaces Windows Update. It also depends on the kind of users at your company. Software geeks are usually informed enough to look after their computers; you would not want to trust the average clueless noob with administering his/her own workstation(these would predominate in a company whose core business was not software related)
"..One hosts to look them up, one DNS to find them, and in the darkness BIND them."
I've pulled that and other crapplets & spyware off of enough of my users' machines, stupid little programs that they've installed tend to cause enough performance problems in their workstations that they become my problem. That makes me want to tighten at least those users' permissions so they can't keep wasting my time with junk like that.
I've worked mostly in small shops, (10-35 users), and there have never been more than 2 or 3 that could be reasonably expected to maintain their own PCs. Most of those who could would not. They see such 'drudgery' as beneath their status. After all, what do we have an IT guy for?
Speaking as a former IT consultant who was paid beaucoup bucks by the baby boomers to periodically remove AOL installs and restore screensavers, I say this is a natural development and long overdue.
It is time to acknowledge that the newer generations entering the workforce grew up with computers all their lives, and dang it, they had plenty of time to learn how to use them properly.
So, managing your own desktop is entirely logical and reasonable for younger workers (under 40). Older workers probably still need help, but they've become accustomed to IT restrictions, so they can continue until they retire or are phased out.
It's a healthy attitude for business to take--computers are ubiquitous and, dang it, you are expected to have learned enough in your life to be proficient with them.
Giving employees PCs is a bad idea. Letting employees manage their own PCs is a horrible idea.
Everyone gets a thinclient unless they have a high end graphics requirement such as CAD.
Not only is everyone a restricted user, they live on a thinclient with no moving parts, no CD reader, no floppy reader, and disabled USB ports unless specifically authorized with an approved business use case. Their real desktops are XP VMs on an ESX cluster node.
The XP VMs just don't break, and even if a restricted user managed to break one, it can be reprovisioned in less than 10 minutes.
The thin client hardware has no moving parts and nothing for them to misconfigure. Most laptop users get a thinclient laptop and a 3g card, there is no data on them to be lost or stolen. PC techs can focus their time on supporting the high value CAD users and executives.
For the rank and file, everything just works.
We have everything on lockdown at my office. Right down to what mouse i to use... :_(
First of all, I'm a Unix admin and have done my time in the trenches (AKA user support). In that world, we'd occasionally get people asking for (or DEMANDING) the root password, so they could install software on their workstations. If they wouldn't give up, then if their manager presented a written request, we would have them change the root password on their workstation to something they knew and we didn't, and they'd never hear from us again. It's either our machine to administer or theirs, but not both. If we were feeling gracious, we'd give them one free rebuild the first time they blew up their machine, but not very often.
In the windows world, ignoring all of the painful permission settings, there's ultimately only one additional issue: Malware. Allowing users to manage their own PCs means that virus protection will NOT be maintained, spyware will be installed, and spambots will appear in the environment. This is a pretty big risk in my mind, but I view a corporate Windows environment to be a pointless risk from the outset.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Just track the skill level of the users. Some you will need to completely manage, others will require just some minor advice from time to time.
If that isn't the option, you must shoot for the lowest level of competence; which mean tight control on the users PCs.
The Kruger Dunning explains most post on
The organization is key. I worked support for a billion dollar construction company. The average user was below average in IT knowledge. EVERYTHING was locked down. By-and-large the folks in the office were promoted from the field. And in the field, if something didn't work, smacking it with a hammer and swearing were the first two options to get it fixed. I have been chewed out because Bubba-Ray's computer didnt work like he 'Thought' it should.
Most everyone had college degrees. The problem was that they were in mechanical engineering , structural engineering, or accounting. Nothing that would give any insight to pc maintenance.
"They'd come to rely on some absurdly obscure or broken application, "
So you have poorly implemented policies, not understanding of the users needs and it's their fault?
Typical support attitude.
The Kruger Dunning explains most post on
Ha ha. Ha ha ha, ha ha ha ha ha ha, ha ha ha ha ha ha ha, ha ha ha ha ha ha ha ha ha ha ha, (help, I can't breath) ha ha ha ha ha ha ha ha.
I work at a company that makes furnitures with your own setting. Just put in width, height and depth and it'll give you the price and a simple wire image.
... or an example of a product ready to put in the shopping cart:
main page
http://www.mooble.fi/ (only in Finnish)
http://www.mooble.fi/tuote2.php?_leveys=160&_korkeus=160&_syvyys=30&_maara=1&_pintamateriaali=4&varikoodi=M300&_variid=43&_id=11&muutettu=1#laskuri
Ville / Varuste.net
That sounds great for a shop of 100 computers. What about a real corp?
Lets take this scenario...
Somewhere w/ about 3000 people and 1000 computers or so.
200 of those computers "belong" (are assigned) to individual users, and the rest float.
For about 60 of the float computers they are assigned on a per shift basis, and the rest have floating profiles.
24 hour use for all 800 that are not assigned to individuals.
The first 200 guys are using high demand (proc and ram) apps, using large databases, spreadsheets, and analysis tools.
The other guys sometimes might use a spreadsheet, but mostly just need some terminal style apps and IE. Sure, these later guys could be put on a terminal and most probly wouldn't even know the difference.
Put the first 200 on a terminal, and they will kick, scream, and throw productivity #'s around until they get what they want. These guys ultimately have control over I.S. because they are the corporate leadership. While they will aprove most reasonable IS decisions, they are not going to allow something like this to get implemented due to loss in productivity (real, assumed, or otherwise)
It's these guys you have to wory about though. But it's a small subset, of those 200, maybe 30 know their way around an OS. Maybe 15 have actually tried a distro of some sort on their own. Really, these guys can take care of themselves. But if one goes ahem... above (below)and beyond any connection between work and personal satisfaction what can you do? If you disable something, they'll re-enable it. if you lock em out of bios, they'll open it up clear the cmos and go back. If you disable admin, they load a knopix pw breaker disc.
Well, you warn them, call em out, warn them again, then can em!
How much is your data worth? Back it up now.
I think a little common sense is in order here. We don't need to choose between clueless users wreaking havoc and technically adept users being prevented from getting things done.
Here's what I would do:
1. By default, every PC is locked down and managed.
2. Users who want to make changes to their setups can apply for greater control. In most cases they will be approved.
3. Users who opt to take control also take responsibility for fixing their mistakes. If you cause too many problems you may lose admin rights. That's not to say you can't still get support within reason.
4. Users must follow some basic policies about what can be installed, and must go through IT to manage licenses for anything not explicitly free. There will be spot checks.
I think users should be given more responsibility on what goes on their computers, but at the same time, make sure they get to feel the consequences of bad behaviour.
Just charge out extra support time to the line manager, and mess up his budget, and he will get the message and will make sure his staff is responsible.
By all means, make it harder for spyware to install itself, and give users tools to review their licenses, but let them take some responsibility. They can actually surprise you.
Failing that, you can delegate the authority to someone close to the user, like their line manager. Have users ask him to install new software before they do it. Works almost as well, and meets most of their needs.
The previous large company I worked for had standard workstations and standard builds. The problem with this philosophy is that power users (developers, etc.) get the same everything as basic users. The standard builds had a lot of software I never used and didn't want but it was provided just in case somebody needed it. The anti-virus program was set up to run scans on Friday afternoons that hogged all of the resources on my machine. Sometimes we had machines that were incapable of doing what we needed them to do and our immediate management had to jump through hoops to get us something we could work with. The standard process was to lock down all machines, but they got tired of developers constantly needing to install software to do their job so they gave us local admin access if we followed the correct process to request it. That company was also bad about recycling machines. They would pass a machine on to the next user without re-imaging it so I always wiped the drive before returning a machine (I learned to love DBAN). I seemed to always get the old, worn-out hardware that wasn't sufficient to do my job. I kept talking to my manager but that never seemed to go anywhere. I burned out one 4 year-old laptop with insufficient memory and processing power. That machine went through two hard drives and started to randomly shut itself off before I finally got it replaced with a machine that was a year newer. I finally got a better machine when one person left the company and it was still a year or two older and far less powerful than the one my manager was using. Obviously my managers at that company were out of touch with reality and I took that as a sign that of how much they paid attention to what I was doing and what I needed to do my job. The one thing I always hated, though was that they never provided backup solutions and their standard answer to fixing problems was to re-image the drive. A manager once had problems with his email client so they re-imaged the machine without backing up the critical data (like they were supposed to do) and he lost everything! When my hard drive failed I lost several days of work then lost another day getting my machine back to the point I could use it again. At my current company, they have standard hardware (but powerful enough we can use it) on a 2-year refresh policy, a standard build and anti-virus software that runs once a week, but nothing is locked down. My laptop dual-boots Ubuntu and Windows but I have not booted into Windows in months, actually I have a desktop with Windows that I use for that and also run VMWare quite often. I only kept Windows on the box because of things like the fingerprint reader (registering boot fingerprints requires Windows). They still don't provide backup solutions, but I have my own solution (drop backups on a network drive and to an external drive I bought with my own money). I think in most environments it is necessary to trust your employees to use their machines appropriately. If you are developing confidential software or the machines are shared between multiple people, that is quite a different story. I think a company should set policies as to proper use of a machine and train the employees to use them. Standard hardware and software builds are typically necessary for large corporate environments because there is standard required software and they deal with too many machines to custom-build everything. I also think that companies need to provide several hardware solutions, not just a one-size-fits-all approach. Employees who travel to client sites to do demos prefer the smallest laptop that will still do the job because they have to carry them everywhere. Developers want the latest, greatest thing on the market because they need the maximum CPU, memory and disk space to do their job effectively. I typically have a bunch of windows open so I want a large screen with the highest pixel count available. Most developers get laptops for portability but use them like desktops so weight isn't an issue. I know several people who never take their machines home. Most people in my office have a second monitor.
We technically have an IT group, but they manage infrastructure and servers. Your desktop or laptop is your business.
You setup your infrastructure so you can push out those scripts on a per user or per machine basis on demand.
When we reimage a machine, within 10 minutes of logging in a user will get everything they had on it before via advertised programs.
This also makes life much easier when it comes to an OS upgrade - you've got a per-user list of applications, and you can also handle the licencing situation much better.
You must work in a very backward company - IT can and should be actively adding business value left, right and center. Putting in systems that make business processes more efficient, saving money and time and freeing you up to spend more time on areas where you can add more value. Working strategically with the company to suggest ways that technology can help the way the company functions. IT as a utility is a *very* dated worldview.
I've got a CS degree, and I've had the opportunity to write software, that said, I've seen too many programers (that do not own their own companies but, in fact, work for others) that feel they should have complete control over their development tools (software and hardware).
These individuals feel that they should be the masters of their own universe, and they dislike taking direction from those that employ them. I tell these programmers that if they dislike working for someone else and following their rules, they should start their own company and bear the responsibility of all that entails.
As a network manager, my responsibility is the safety and security of the network. It is my responsibility to put safeguards in to recover our systems in the event of a disaster, and to keep the network and attached systems running as reliably as possible. That may mean that you don't have administrative access to EVERYTHING....too bad.
If a business case can be made for that type of access, then most companies will have more flexible provisions in place (like a development lab where things can be allowed to blow up without impacting production).
The points I tried to make earlier are that, for most industries, IT is not the primary objective - it is a tool that makes others productive. The workers in those industries would be less productive if they had to maintain their own computer systems.
-ted
There are legitimate business reasons to lock down computers, but the decision should not be an IT department decision. The fundamental equation is that locking down PCs makes the IT department jobs easier, but often at the expense of innovation and productivity of the rest of the company. So, to an IT department measured on uptime and ability to resolve complaints quickly there is only one answer. Don't let the users do anything. But a business trying to maximize its investments versus mitigating risk has other priorities which may override the concerns of the IT department's convenience.
It depends on the user. Many end users are clueless. They'll just mess up their computers until they come begging for help. However, some users may need additional software other than the standard in order to do their jobs. In that case, it might be advisable to grant them management privileges on their PCs if they are a knowledgeable power user.
The place where I work is mixed. I have two workstations. I control what software I install on my Windows box. Since I'm a sysadmin myself (just not in the larger IT group), I could probably handle the Linux box myself if allowed, but most of the time it would just be too much trouble.
"NASA used to be this way where I worked in the 90s. We ordered our own PCs, set them up, installed all software"
Now, seriously, I cant imagine how you can be so smart and get a job at NASA, and still cant see that NASA, Google, and the like are not the averge company.
IT guys know about these kind of users, and they -we- try to give them all the freedom we can.
Most users, and Im talkink 98% just simply SCREW UP. They do, honestly. In fact, the more computer literate they tnink they are, the more dangerous they are. Academic environment is one thing, but unless you live in a campus, take a look out your window and tell how many 'academic' people you see.
As for developers, they have a tendency to be a p.in the a. for most IT depts... They really should be apart from regular users, on another subnet, domain, forest, whatever. Give them liberty and then watch them crawl back asking for the ghost image of their machines...
"6. User keeps getting infected with viruses.
enforce running AV"
Oh no!!! Did he say "enforce" !!! You are hurting my personal rights!! Why cant I choose this or that antivirus, or best of all, no antivirus... After all, it just slows down my PC.
And why should I use Firefox instead of IE? What's the problem with surfing the web?
The high (resource) demand users are the easy ones.
"you prove you need it and I'll give you 4 procs and 16g of ram"
As long as they aren't doing cad or video production, they are covered, and I've got the historical performance data for their VMs captured in a SQL database to prove or disprove their point.
On a rollout of that scale, you'd use a connection broker with automated provisioning to group and assign the floaters.
You're still going to have desktop PCs and laptops for "high value" end users, but the masses don't need them and its a waste of both resources and capital to give them desktop PCs.
There will be opposition. You're in IT, grow a pair. If you are that thin skinned you've probably still got individual desktop printers, maybe even hundreds of them.
I would say this really depends on the users. At my current employer, engineering, sysops, QA, etc. (the technically skilled, basically) are allowed to pretty much do whatever we want. The overwhelming majority of engineering here uses Macs, and most of the rest are BSD or Linux. I have a MacBook Pro, and run Linux in VMWare Fusion, in addition. If I really wanted to, I could install Linux natively. That would be an self-supported configuration and I'd be on my own if it didn't work (IT support would be limited to reinstalling OS X), but I could do it if I wanted to.
At my previous employer, pretty much anyone was allowed to install whatever OS they wanted to, and most of engineering, support, sysops, QA, etc., there was running a Linux distro. No standard one, just use whatever floats your boat.
This was very good for productivity, and I'm not aware of any problems arising from it at either place. However, if typical end user types were allowed to install whatever on their machines it would be a mess. My wife (the only Windows user in my house, and someone who neither is nor even wants to be computer-competent) recently complained that her Thinkpad was very sluggish. I examined it and found over 100 different pieces of crapware. It all seemed to have arrived in March when she installed a few "free" games. Without mentioning it to me, of course. I reiterated my previous admonishments about not installing software unless I've vetted it first. This time, I think she'll actually go along with that. I was up until 3:00 AM fixing the machine, detailed what I found, and the speed difference was very noticeable.
An IT department would be nuts to let someone like that have carte blanche on their machine, but I think letting the technically competent do pretty much whatever they want, with the caveats that A) You have to be able to get your work done, and B) We only support a given list of apps and OSes; if you go beyond that, you're on your own. In my experience, it's unquestionably good for productivity and morale to let the technically competent run whatever software suits them.
I have seen instances in which FOSS programs bring to its knees full corporate networks.
In one occasion top, ported to Solaris, was literally creating a denial of service attack by swamping one name server in our network with loads of stupid requests.
It is not all about licensing. It is also about security, design and support costs.
You think you are too clever by two, in reality people like you are an IT accident waiting to happen.
IT support put restrictions in place for a reason and tend to be quite defensive because they are protecting everybody's bacon.
IANAL but write like a drunk one.
If I need to go to backups in any form, that is a waste of time.
Companies are not in the business of recovering data from backups, their business lays elsewhere, so every time recover from backup is requested, you are making your company less efficient.
IANAL but write like a drunk one.
If the only shares users can access are remote ones, then all that juggling is completely unnecessary.
If at the end you are using NAS, why not cut the middleman software and mount NAS volumes directly in users' machines?
Then you have snapshots (much better than backup from the user's point of view) and manage backups there...
IANAL but write like a drunk one.
... has serious security problems. The worst part is that they are fully unaware of it....
IANAL but write like a drunk one.
You need to configure a remote access solution (VPN, Citrix, Sun SGD) which ensures you can access any data or application you need in your office without holding any data at all in your own computer.
Any company not doing this nowadays has incompetent Systems Administrators. No ifs, no buts.
IANAL but write like a drunk one.
Users should not have Administrator access. Period.
Somebody should fulfil the systems administrator role and install software for the user, once all applicable policies are followed (licensing, testing in a segregated machine for security issues, etc).
You don't do this, then you are open yourself to all kinds of nasties.
IANAL but write like a drunk one.
The unrelenting strictness of your outlined approach to network security means you're either Mordac from the Dilbert comics or it's your IT department that earns all the company's money.
Seriously, in most cases it's the users, the lusers and the cow-orkers in sales and accounting that fund your department. Heck, even a million quid saved in hardware expenses cannot make up for the productivity losses of several dozen semi-frustrated users or the probability of having no workaround when things in your data center go ever so slightly wrong.
When your first and only reaction to opposition is sporting a stiff upper lip, then you should work at a local university or government agency. Your users are your customers and when they're too unhappy or their tools too dumbed down they can't focus on bringing in the cash.
The computer is a pretty universal tool and it would be extremely stupid to tell people to use it in an oh-so-limited fashion. You are then stifling innovation, flexibility and self-reliance and preventing workarounds or important *mistakes*. Forcing people to conform to ultra-ridig bureaucracies and essentially treating them like replacable wheels in a large gearbox never resulted in wealth, innovation or success. It didn't work government and state level and it certainly won't work for a company whose workers are not enslaved in serfdom.
If you pull some serious restrictions, either your brightest people leave or your brightest people make YOU leave. Just wait 'till half of them start bringing in their personal laptops just to get some work done - with their boss' explicit approval. I do. And I keep doing so as long as thin clients are orders of magnitudes too slow and IT departments take years to evaluate and allow GPL'ed programs like Firefox, Inkscape or Gimp on their holy networks.
You can save on Photoshop, Corel and all the other expensive dinosaurs, but just give me a physical machine where I can install GPL'ed stuff, a smallish SQL setup and a PERL environment without filling out a dozen requests.