CmdrTaco:
I have been on all three levels: developer, desktop administrator for developers, and server admin for developers. From my experience, its easier to do it on a *nix environment vs. Windows environment - that's not to say it can't be done. If you have a good Windows Active Directory Administrator, you can set up GPOs that allow developers to have the necessary rights to develop and maintain applications in a production environment. The biggest pain is getting the developers to change their habits.
The way that my department implemented these accounts on the Windows side, is that we created separate accounts. So, say for instance, your username is foo. We then would create in Active Directory an a_ account (i.e. a_foo). That would be your admin account. We then would create GPOs to access the correct registry information in Windows to allow debugging, installation, etc. on that machine. Since, we have GPOs on a group of machines, if we needed to use any of those GPOs on the server environment, we could do that as well.
Once we got that set up, and educated the developers on how to use their a_ accounts, they were able to develop and maintain the production applications in Windows with no problem.
And if you wanted to use the same type of administrative structure on any *nix system, you could use PAM and sudo controls to give the developers the flexibility that they need.
Hope this helps...
IMO, when developers have total control over production machines, its because management doesn't understand how admin controls can be separated from users, and the developers aren't open to a "change".
Slashdot Mirror
CmdrTaco: I have been on all three levels: developer, desktop administrator for developers, and server admin for developers. From my experience, its easier to do it on a *nix environment vs. Windows environment - that's not to say it can't be done. If you have a good Windows Active Directory Administrator, you can set up GPOs that allow developers to have the necessary rights to develop and maintain applications in a production environment. The biggest pain is getting the developers to change their habits. The way that my department implemented these accounts on the Windows side, is that we created separate accounts. So, say for instance, your username is foo. We then would create in Active Directory an a_ account (i.e. a_foo). That would be your admin account. We then would create GPOs to access the correct registry information in Windows to allow debugging, installation, etc. on that machine. Since, we have GPOs on a group of machines, if we needed to use any of those GPOs on the server environment, we could do that as well. Once we got that set up, and educated the developers on how to use their a_ accounts, they were able to develop and maintain the production applications in Windows with no problem. And if you wanted to use the same type of administrative structure on any *nix system, you could use PAM and sudo controls to give the developers the flexibility that they need. Hope this helps... IMO, when developers have total control over production machines, its because management doesn't understand how admin controls can be separated from users, and the developers aren't open to a "change".