Comment Balancing act (Score 1) 605
I've worked at places where individual users (developers, engineers, and other tech savvy folks) have admin rights.
In every case, it's a balance. The ease of getting things done quickly vs. manageability and security of the computer involved.
If you lock a computer down so the installed apps can be used but nothing else can be installed, it tends to be relatively stable, and you don't get rogue programs installed that cause problems and generate extra work for installers and work disruption for users. The other end of the spectrum means anyone can install what they want. You give rights to everyone and end up with constant rebuilds and virus problems, etc. These can be just minor annoyances or in the worst case can disrupt business or cause legal issues (like loss of private or protected data) that will shut the company down. At the very least they create lots of extra work for someone in the company.
So, many managers (tech savvy and not) are deciding that they need to lock down control of work computers. Basically, they remove the ability to do anything but run work related applications (centrally installed to ensure licensing works and to make sure everyone has the same version) to simplify support and lower costs (which are a big headache for any IT manager).
This makes things more complicated for individuals with legitimate business reasons to install software (like dev add-ons or new versions of libraries, etc). In the case of a locked down system, the central authority in the business for support needs to provide a way to respond to requests to install needed software quickly. This can be either an automated system with menus, or an on-call support staff that handles things. With remote access to desktops they can generally get things installed quickly enough that work isn't significantly delayed. If and only if management recognizes that this support is necessary (people hear what they want to hear, and too often management thinks the clamor against locking down workstations is simply bruised egos (see below)).
This problem comes in when a company decides to solve its rogue software problems by restricting desktop access but doesn't provide any way to request "special" software. Unless your company is very unusual, certain users will need software that's not generally installed everywhere, and not everyone will fit the "standard business software" mold. This is a rough parallel to IT departments restricting access and forcing change control for "production" tier systems without changing their development processes to remove the need for production access. You're left with a choice to either break the rules or not get work done, and god help you if you try to explain things to whichever manager is getting a pat on the back for "securing the system".
Of course, the reason most people ask questions like the submitter is probably due to ego. The emotion behind the question runs roughly "I'm a smart (guy, girl).. I've been progamming and running my own system since before this OS was released! I don't need a low paid staffer to handle this for me, and you're just slowing me down! I feel insulted by you not giving me privileges and trusting me to keep things working!"
Having control is a hard habit to break. Taking it away from people who've "always" had it is like introducing change control to a company that's always been a free for all... people see the change as extra procedure being introduced that is unnecessary and slows down "real work".
The best way I've found to deal with people who want admin rights because their ego demands control is to ask them if they're also willing to accept responsibility for their workstation being productive. The desktop support folks or central desktop team accept this as part of their job.. in cases of heavily regulated industries, there may be legal requirements for someone to be responsible for the integrity of such systems. So once you get the person complaining about a lack of access rights to calm down, ask them if they're willing to be legally and financially responsible for keeping their system working. If they're smart they'll say no and go back to work.
If they accept responsibility, put it in writing, follow through and dock their paycheck for the time their workstation is unavailable (you'll have to have someone check now and then). Once their paycheck takes a couple hits, they'll probably be ok with a lack of privileges, and they'll be a good example for anyone else who "has" to have admin rights.
Erik