Comment Devs only need some 'admin' rights (Score 1) 605
My former employer suffered more than one very serious work-stoppage (lost scores of manhours) over the whole LAN due to problems caused by a developer whose Windows Domain account (and primary login on the local PC) has Administrator rights on the Domain and (thus) on the local machine. (This is due to Devs *not* being experts in networking, security, application and service mgmt, windows domain policies, etc. If they were, they would not have needed a Windows SA, right?) It was only after this fiasco that the mgmt folks acceded to my plan.
- Put Dev boxes on their own network segment in their own Windows domain.
- Use GPOs for various security/software settings, including Windows Firewall rules.
- Give them VMs on local machines for development\local testing. (Cloning/Point-in-time images are AWESOME!)
- Give them VMs on the network for shared work/testing.
- Give them two accounts on their XP machines, one with elevated privileges. (Their 'admin' account)
- Have them use "RunAs" and their 'admin account' to elevate privs for tasks, like installing software and changing system settings
It was a lot of work to set up, and a lot of pain the first couple of weeks to train/handhold the Devs, but it started to really work. Oh, it should be mentioned we has somewhat unusually high security requirements due to being in the financial sector and handling customer credit/debit card data, etc. But, really, most of this was designed and implemented to actually improve work processes and uptime. And it did.