For four years now, I've been using a 400 mHz clod of a notebook PC for most of my work-related computing. It's been a faithful companion, albeit a slow one at times. So, you can imagine how excited I was when my employer told me that I'd be receiving a new 2 gHz, lightweight speester as a replacement! At last, no more waiting for large documents to load! No more rearranging my files every time I need disc space for a new download!<br /><br /><img src="http://www.pocketpcthoughts.com/images/adrian/notebook.jpg" /><br /> <br /><br />But... Now that I've got this cool new computer, the tempation to stray outside the "corporate standard" and install all sorts of operating system and applications upgrades is KILLING me! I mean, I can argue that I could be much more efficient if I were allowed to personalize my computer with all the tools and updates I want. On the other hand, I want to be a good employee and not create a Frankenstein machine that our IT department isn't prepared to support. What's a geek to do?

Just count yourself lucky that you don't work for the company that I manage the IT for :-)

We've been a bit lax over the last few years but, as part of the rollout of XP to everyone, we are going to be taking local admin rights away, and ensuring that all deployed software works with standard user accounts.

That should help to enforce the "this is company property, leave it alone" rule.

--Philip

P.S. It can be a right royal pain in the bum if staff start playing with their systems. True story as an example: one sales person recently admitted that he had been fiddling with his to get it to work on his home network and, as a result, had reconfigured it so that it was no longer a member of the domain. So no more email or any other productive work. He has now got to courier it back to us to fix.

As IT management, I would and so have the last couple of companies (both Fortune 500) take local admin rights away from end users. Save so much trouble from virus/spyware/adware/etc.

However, as a member of IT, I ask for admin rights the very first thing so I can install my needed apps (SQL plus, TOAD, etc) although I never mess with the core OS or MS Exchange settings.

You can install VMWARE and have your own "virtua; Win2K" running at the same time with the laptop's real OS.

You need at least 512 Mb though.

My company is still using windows 95! I would be afraid that adding anything would cause it to explode!

From an IT admin point of view... If the company is dumb enough not to lock up and image their inventory, the company deserves what it gets. That is how we used to do things, lock them, secure them and god forbid you touch them. There is a saying that goes: "if you spend less on your corporate security than on a cup of morning coffee, you will get hacked, in fact you deserve to get hacked" I rest my case. Hack it my friend – that’s what the company is telling you to do, that is what I would do, have that baby running Longhorn and experiment, hell put Lindows on it if you like! Having said that, this is why there are people like me, because there are so many companies that lack IT focus and direction who are supported by dumb IT guys. No offence, that’s the truth.

My IT dept remove all local admin rights. But I found that Activ sync would only run with full local admin rights! So they gave me admin rights but I don't abuse it too much!! I still don't think its my own Ipaq and not a corporate one!!
David

Just count yourself lucky that you don't work for the company that I manage the IT for :-)

We've been a bit lax over the last few years but, as part of the rollout of XP to everyone, we are going to be taking local admin rights away, and ensuring that all deployed software works with standard user accounts.



That was what we (I) did last year, but with Win2k. Calls to the Help Desk got reduced 30% after we were done with the rollout.

You can install VMWARE and have your own "virtua; Win2K" running at the same time with the laptop's real OS.

You need at least 512 Mb though.

That's my suggestion, get Virtual PC from Microsoft. It's a small install, and very painless to operate. Then you can create you're own image and use whatever OS inside the VPC that you choose.

The big plus of this, you can take your image and copy to another machine. 8)

My company recently upgraded to Win2K. As part of the upgrade, they locked the PCs down really tight. I couldn't even change the monitor refresh rate! :evil: I called support so often that they made me "adminstrator for a day" so that I could set the PC the way I want it and install some licensed software that I need and use in my daily work that is not enterprise-level standard. Now the PC is locked down again, but I am happy and so is support! :D

We have around 8000 pc:s, if we gave everyone adminrights it would soon be totally unmanagable. If a user wants these rights they sign a paper which basicly says "You screw your computer up - you are on your own - the only thing we will do is re-install with the official ghost-image". Although, if absolutely needed, they can get temporary rights to install something important (just so we don't have to send workstation support out for every little thing).

Ouch! I think you hit a nerve there! :D

As another guy working in a IT-dept. I would say: Please don't!

I really hate people who installs a tonne of stuff and then calls in and blame us when their PC is broken.....

I really would expect an IT-professional as yourself to know that most systems where alot of stuff gets installed (and uninstalled) will eventually need a fresh start. I would also hazard a guess and say that when your brand new computer is so slow as the old one because of all the accumulated crud, you will make it someone else problem -> the IT department.....

So.... when you do install something on your computer ( :roll: ) and then call in because cool nonessential gadget # 25 didn't work as expected, please have the courtesey to admit to what you have done! :evil: :bad-words:

Sorry if I sound harsh, but I just have seen hotbar installed on too many systems and pleaded the users (mailed to all) too many times not to, to let this one pass... :)

I just can't wait until our new automated installer system with XP takes over from our current win98 clients.... :multi:

I just had a similar experience.

This month our sales force went from Win 95 to Win XP Pro, and Toshiba e750 PPCs were issued. The Handhelds are only to enter sales calls. There's no memory space for much else. We just leave 'em home on the desk and enter info on the laptop at night; much faster. What a waste.

We now have a laptop so locked-down we can't even choose a homepage in Internet Explorer.

End user installation of software is now impossible on our machines.

-That- is the only reason we went to XP Pro.

But, as they remind us, often, "It isn't your computer."

Oh! Forgot the most important part!

Congratulations on your new computer! :)

That jump in performance should give you enough processing power to use one of the most important functions a laptaps can provide: Watch DVD's :rock on dude!:

If a user wants these rights they sign a paper which basicly says "You screw your computer up - you are on your own - the only thing we will do is re-install with the official ghost-image".I have the same agreement with the admin on my domain. My system is my responsibility. It should work at home as well as in the corporate domain. I may do as i choose, but if i screw up, it's the old ghost on my system drive (dynamic configuration and data are on another partition), and i can start again :). Large benifit for him is that i can provide some early feedback: a lot of applications are tested on my machine before rolled out to the entire network.

Jaap

Congratulations! :) Always good to get a boost in PC power at work. The hardware I'm using now is the minimum listed for the development software that I'm ordered to use. And, sadly, there are better (open source, even - meaning free) IDEs available that I could run more efficiently. :|

As for installing software... I'll put anything I want on my PC at work. The image we get is company standard and they take away admin rights, but my supervisor has an admin account that he uses to unlock all of our PCs after a reimage. Support? Doesn't matter. I know enough about my PC to fix most problems. Every time I've called about something I couldn't handle, their answer was to reimage. Never even asked if I'd been screwing around with anything. So why not make the most of my PC between reimages?

If a user wants these rights they sign a paper which basicly says "You screw your computer up - you are on your own - the only thing we will do is re-install with the official ghost-image".I have the same agreement with the admin on my domain. My system is my responsibility. It should work at home as well as in the corporate domain. I may do as i choose, but if i screw up, it's the old ghost on my system drive (dynamic configuration and data are on another partition), and i can start again :). Large benifit for him is that i can provide some early feedback: a lot of applications are tested on my machine before rolled out to the entire network.

Jaap

Same is the case with me. I rather say its my so I ll support it myself. Won't bug you watever happens and my machine won't damage anything on your network :p. So after that I install and personalize everything on my laptop to the max because practically its the only computer I use these days even at home.

Where I work, we are running XP and all users are local admins. Most surfing is blocked and it is nearly impossible to download programs from the outside. That being said, if you do load some "unapproved" software and a Deskside Support person has to spend more than 5 minutes trying to fix your machine, be prepared for Mr. Ghost...

Steve

Take the following with a cup of favorite drink, sit back , relax, and enjoy your day knowing that I understand and appreciate the IT point of view on lockdowns and its benefits.

Now the flip side...

Forced screen resolution... ever see a 19 inch monitor at 800x600? Forced refresh rates at 60hz that nicely matches the overhead lights for some good flickering and headaches. Holiday themed desktops that can not be replaced (well you can be changing the file name but that is a different story) Over night installation of new corporate software that crashes the computer... or fills up the hardrive leaving no room for scratch disks so you can only work with 5 meg photo files.

The always favorite removal of software over night (the same software that it took 2 months to order through the IT department, then they keep the cd and license, then tell you they lost your purchase info and gave the liscense to another person) Email accounts that can send files no larger then 2 megs (really fun for trying to get a photo shoot to an outside vendor) or an unpublished email policy that removes all .exe, .html, .zip, .jsp from the email automatically without alerting the sender or reciever (what? you didn't get that file? I sent it weeks ago and was waiting for you to respond.)

I dunno, but I think our company alone keeps floppy disks company in business still. We have to save files... then walk the floppy over to the other side of the floor at times... (we have one cd-burner for 15 people in my unit)

Sure, the IT department has less work on worms, viruses, people installing nonstandard software, but at an expense of productivity for the rest of us.

Yes that was a rant, but the moral I am striving for is... balance is needed. They have a job to do so don't give them too much greif, but that the IT department also has to be understanding and give a little also.

Our company uses a standard Win2K image that is heinous. They have so much crap installed on the image that it is slow as molasses. I have WinXPPro on my laptop. I manage everything myself. (I'm in IT, but for a data center, not the corporate desktop group.) Our company has gotten slammed by SQL Slammer, Code Red, etc. because they don't push patches fast enough, but I've never gotten infected because I manage my machine myself.

The company can never really control your machine, unless they lock you out of the BIOS. Hello boot disk.

If you're going to support your own system(s) and not call the "official" support people unless the machine bursts into flame, then what you do is up to you. I manage Tier 4 support for approx. 6000 desktops in NYC and another 10K or so globally - our "standard" is XP bastardized to support each line of business' "absolutely essential" custom applications (often 16-bit!). I currently have four wintel class machines under my desk in NY: none of them run "The Build" (because I would like to be able to finish my email before the sun sets....) Two of them run RedHat 9 (one quad cpu server, and one workstation).

I adopted the tact I "learned" from AE Van Vogt's Weapon Shops of Ishur

Never ridicule the official rules and standards. Simply disobey them.

Most people in the corporate world will ignore your actions so long as it does not make them appear unnecessary or require them to do additional work, so you should be OK as long as you don't advertise your changes or ask the help(less)desk to support your modifications.

You will probably be required to continue being chargebacked for support even though you will never utilize it.

I'm a developer and my laptop is a development station first, a test machine second, a research machine third, and a corporate machine a very distant fourth. As such I have to have complete control over it, so once IT installed Lotus Notes on it I haven't seen them (almost two years ago). If I install something and it breaks then of course I fix it (I wouldn't let IT or anyone else around my laptop unless it had burst into flames and they were carting the dead, blackened husk away). This seems to work for us.

A couple of years ago I worked at a place where they locked down tightly on the desktop machines. No admin rights, no registry editing, etc. During a development cycle I was writing an app that needed to store info in and read info from the Registry. After about thirty calls to IT in one day to come to my desk to type in an Admin password so I could edit the Registry they changed their policy. :lol:

Congrats on your new machine!

I've learned through installing many apps on my computers, without IT knowing, that if I'm going to do it, I need to be prepared to support my own laptop. I've never had too many problems though... well there was that one time I had to reload it... :oops:

&lt; soapbox >

I cannot believe how many IT-Faschists responded to this thread! :lol:

I hate locked down machines. Yes, I know they are better for the IT folks and maybe even the company as a whole, but they achieve that efficiency by handcuffing people from trying anything new, and they keep knowlegeable users from doing things better.

&lt; / soapbox >

and they keep knowlegeable users from doing things better.


speaking as the good corporate citizen (ahem...) "what's your point?"

The concerns of the Fortune 100 corporate IT manager are vastly different from the concerns of the power-user and sometimes developer. Often (and especially in the corporate world) knowledgable users are "knowledgable" in name only: the majority of real technical experts in the corporate world become consultants or move to technology providers.

My current employer's (Fortune 10) corporate policy does not value or reward "technical expertise"; its not one of our "core competancies" so we now buy it from outside suppliers. (I know its a naive position, but its "the flavor of the month").

At a recent "Town Hall" meeting, the head of our global technology division made a public statement "I never fired anyone for attempting to do something and failing. I will always fire anyone who violates company policy..." (apparently "failure" is not a violation of company policy).

Given these values, its understandable why we lock down workstations as much as possible.

Our company has a fairly strict lock-down policy, and I understand why. I think they spent 2 days trying to fix things after the "I Love You" virus was launched by about a 60-70 people, including many who "know better". Fortunately for me, I am field-based and about 1500 miles away from the office, so I get local admin priveleges - actually I don't think the IT department has ever even touched my machine. It was shipped direct to my house, and I set it up from there.

I install a few apps that I need/want, but the key thing for me is if I need to install a new printer, or software to demo for clients I can do it without shipping my laptop across the country. It helps that the IT staff knows I am a "geek" at heart, and they haven't had to touch a laptop of mine in 7 years.

Having said all this, I know I am violating company policy when I install 3rd party programs - ActiveSync, Palm Desktop, etc. It does bother me a little that if things ever went to hell I could be fired on a "technicality", such as this.

whydidnt

Developers in our company have their own testnetworks , with full rights to their computers. And if a user really needs more rights he/she does get them. I don't count hotbar as important software :D (anyone remember Bonzi Buddy?)

My company controls the softwared loaded on the computer and they also control the hardware we can use. We can only use Dell desktops and laptops - and no consumer stuff, thank you, even if it is from Dell.

I work in a production environment. I'm fortunate in that our little group has it's own IT suppprt. But we still have to stay very close to the corporate image. We calculate data that is used in our product. Some kind of undetected mal-ware or just plain old poorly written software that corrupts our data could cost the company millions of dollars in defective product, not including lost business opportunity and customer ill-will. The poor folks on the production floor can't do anything but just click the icon for the application they are supposed to be running.

It's one thing to say "If you break it, you fix it", but who do you suppose pays for the lost productivity while you're trying to fix whatever went wrong?

While I understand the importance of controlling the IT environment, I find it incredibly frustrating. My solution was to buy myself a laptop - decidedly non-Dell with non-corporate software. I use it for development, which works out fine as long as pre-production software testing is done on production computers. It also gives me the freedom to try far-out software products to evaluate bringing them into our production environment.

&lt; soapbox >

I cannot believe how many IT-Faschists responded to this thread! :lol:

I hate locked down machines. Yes, I know they are better for the IT folks and maybe even the company as a whole, but they achieve that efficiency by handcuffing people from trying anything new, and they keep knowlegeable users from doing things better.

&lt; / soapbox >


You want to try new stuff?? Buy your own computer and experiment on your own time. Don't waste my time with problems that you created.

And yes, I am one of those IT "faschists" that you speak of, working for a strapped IT department. We don't have enough people to do the work that we currently have, much less cleaning up after people who think they know what they're doing.


MLO

Wow...some IT departments actually have CONTROL over their users.

Active Directory? Pah! SMS? Who needs it?

We have at least 10,000 computers. When the blaster/welchia virus affected a few of the XP and 2000 computers, what was our response? To walk around with updates ON CD and manually touch each computer. Yes, even the Win95/98 and Mac machines that wouldn't know a welchia virus if it smacked 'em.

Our users regularly download Webshots, trial video games and screen savers. They also download spyware and viruses that generate work for us. Oh, and our department consists of around 15 people. Neat, huh?

Hey FoldedSpace - we must work for the SAME company.

It's a sad state of affairs having to support an uncontrolled/non-managed environment.

While our "knowloedgeable" users feel that it's a great environment, the fact of the matter is that they cause the majority of the problems.

Now if I can only convince my Fortune 500 company to stop using POP3 for it's corporate email....

I'm an IT Admin and have loads of apps and tools installed on my Works Computer, I have a long list of them.

I do generally give people rights to install things on their machine depending on what it is I have recently given a couple of people access to the Nokia Comm suite so they can sync their contacts in Outlook with their phone.

Every one has their own desktop res although I occasionally reset peoples 800x600 to 1024x768 and then get complaints they can't read it :roll:

I have finally set the system to automatically update windows and that prevented a recent infestation of the Natchi(?) virus. Almost all users don't have local admin rights unless they have a CDRW which they need to use :?[/i]

The trouble with IT is that they simply do not get IT. I am an employee at a health care facility, and they have thing locked down so tight that no one is willing to use the computers. Instead of getting the true benefit of finding information, the simply do not even try. Logging in, logging out, doing all of that sort of stuff makes some sort of sense for someone sitting at a desk, where they login max of 2-3 times a day. To do our job the way we would like would literally take 20-50 logins a day. At close to 1 minute per login, this makes for 1 hr a day logging in.

Furthermore, no customization is allowed, this means that instead of having a desktop short cut on my "personal" login account, I have to navigate 3 levels down the start menu, another waste of time.

The purpose of an IT department is to work, however the goal of most IT departments it to make their job as easy and convienent as possible and eliminate work, even at the very expense of the users who are the whole reason their job exists. The real goal of an IT department should be to optimize the efficiency of their users, to increase their productivity, which ultimately will increase the value of the company. The company will need to grow, their departments will grow, and they will move up the ladder.

Just my $0.02

In my experience, most good nerds/geeks know more about their PCs than the IT people. I have local Admin rights through an IT rookie mistake (YAY for me!). I have added many items like AS, but not touched the OS. Every time I've opened a trouble ticket, I've eventually located the problem myself. I can't always fix it, but that's when I call them back.

In our shop the 9x machines (about half) are totally unlocked. My laptop is running xp, so our IT dept. locks it down completely. I can't even try out demos on my ppc without loading it from home. That said, if I can show a work related reason why I need a piece of software, I can have it.

I understand perfectly though. The XP machines are 95% crash and problem free while the 9x machines are crashing like crazy. When IT checks the machine they find on-line games, Kazaa, real player and funky screensavers, and a user complaining that Word documents take too long to open.

As a user I miss the freedom of my old customized machine, but knowing the headaches our IT department has and the abuses that people made of their freedom, I think all machines should be locked down tight.

.................. I just realized I sound like George Bush..... :(

These comments get more and more interesting. I think one of the biggest problems is that some of the IT departments seem to want a one size fits all solution. The real world isn't like that. Too many IT people seem to enjoy the power they think they get by controling everyone elses PC. Is there really a good business reason to lock the desktop resolution of a monitor? I'm reminded of the old SNL skit where the computer guy totally embarrasses and abuses any staff member who asks for help. Like all SNL skits, this is founded in some reality.

It seems to me companies that decide to issue laptops have to understand that it is a mobile device and may require more flexible user rights. If you are traveling with your work, you may need to add a printer or change "something" when you are not connected to the company network.

whydidnt

Actually, IT departments just want to reduce silly jobs long enough to actually get ahead instead of putting out fires all the time. It's difficult when your user base cannot:

1. Install software, unless it's Kazaa, Webshots or games.

2. Find the power button on a printer

3. Save their own files to floppy disk

The only solution I've been able to find is Deep Freeze and Ghost. But the ones who cause the most trouble, administrators, don't want Deep Freeze on their machines.

Just to jump in again...

When you add the support in to the total cost of ownership for a particular machine, the numbers get quite large. The idea is to reduce that cost by not having to visit machines all of the time. I find that for the most part, the people that come into work and use their machines for a spacific task, are not the problem users. They don't care about the desktop, about surfing, about changing themes, etc. They come in, open, say Word or Excel, and never leave the app. They come into work, do what they need to do, and at the end of the day, they go home. 99% of the time, they never have any problems...

Now, the users that insist that they are power users, that absolutely have to have Local Admin rights, that insist they know more then the techs we send out to repair their machines, they are the "problem" users. They are the ones that always seem to require the attention of the support department. And they are the reason the machines are locked down more and more with each passing week...

But that's just from my observations here...

Steve

But that's just from my observations here...
Not just for you. I'm on both ends: I'm a power user but I also do IT consulting.

The problem is there are two kinds of Power Users:

1. Those that think they know what they're doing, but don't;
2. Those that think they know what they're doing, and do.

#1 is a huge problem. One of the bosses at a company I consult for used to eat up 50% of my total IT time for the entire company. 8O I can't count the number of times he trashed his computer until he got the hint.

There are #2, but it's very hard for IT people to differentiate, so lockdown is generally much more cost-effective.

--janak

The problem is there are two kinds of Power Users:

1. Those that think they know what they're doing, but don't;
2. Those that think they know what they're doing, and do.


Good point!!! :wink:

We have quite a few #1's, and very few, if any, #2's (at my location)...

Steve

Considering I work for the group responsible for setting hardware and software standard, my opinion shouldn't really surprise anybody. We actually do allow admin privaleges for our users due to the nature of their jobs. We have made great efforts in educating end-users on the value of a standardized desktop.

We have a list of our standards and if someone goes off the standard, one of two things happens. If there is a business reason for using the application, then we provide best-efforts support and then make the effort to bring that product into our standard environment (i.e. repacking the installer to comply with our standards). If there isn't a business case, it's time for Ghost!

&lt; soapbox >

I cannot believe how many IT-Faschists responded to this thread! :lol:

I hate locked down machines. Yes, I know they are better for the IT folks and maybe even the company as a whole, but they achieve that efficiency by handcuffing people from trying anything new, and they keep knowlegeable users from doing things better.

&lt; / soapbox >

That's a strong word - Fascist - I personally never broke anyone’s digits for breaking the PC, as much as I wanted to I never did. I prefer the term Utilitarian, the greatest common good, not a Fascist. If you are in the IT department locking down the desktops is just a part of your job and that’s what we do our job. When you have 10K machines to manage the choice of locking up the desktops is essential and rather obvious. Experiment at home, at work do what you are paid for – work, quite a simple concept to grasp. Unless you are in the R&amp;D then sure experiment but other than that your PC is much like a stapler, it is suppose to do a simple job, and do it right.

The problem is there are two kinds of Power Users:

1. Those that think they know what they're doing, but don't;
2. Those that think they know what they're doing, and do.


Good point!!! :wink:

We have quite a few #1's, and very few, if any, #2's (at my location)...

Steve

YEAH! If everyone was as good of a 733t h4ck3r as they think they are I would be out of a job,......as it stands now I am running out of time to get everything done - go figure! That's reality my friends.

Time for my 2 cents, possibly more.

First, my belief is that if corporate laptops can't do what you want them to, your only alternative is to use a personal laptop to do corporate work, whenever possible. I wouldn't join my compaq evo to a domain, but I'd sure as heck use it as much as possible as I know the environment and wouldn't think to ask anyone to help support my own personal system.

As an IT person, an MCSE on Win2k, and an A+ technician, I support the use of group policy and active directory to lock down machines. It is simply unacceptable for users to muck up a computer with personalization and then expect IT to fix it for them. The person on here who said their company has a legally binding document for people to sign if they want IT shows a company that has the right idea. You screw it up, we won't help you. I'd take it a step further: You screw it up, you buy it. See how many people who "think" they know what they are doing really try doing it.

My girlfriends mother works for a insulin pump company that, in my opinion, has a pretty good system. Their field reps get local admin rights, but all the really important stuff is on a Citrix server - the field reps log into that and can't screw up things like email and company apps. If they screw up their own PC's, no frantic calls to support come in with peole scared they've "deleted important emails" or "lost data they put into xyz application".

Lastly, and this might seem like my soapbox, when used properly, administration exercised over users in an authoritarian way is a good thing. Power games are stupid, with admin's doing things simply to annoy people. But to a degree, the kind of reinforcement that this bumper sticker (http://www.thinkgeek.com/cubegoodies/stickers/36e8/) gives can help destroy the myth some non-IT people have about IT people - namely that they have no lives, are geeks, and are lower on the foodchain than high and mighty sales people ;).

I AM GEEK... HEAR ME ROAR! :mrgreen:

What can I say? My laptop has NT4 and that doesn't support USB or Infrared properly so I just had to do a little dual booting with XP. Now because I'm on the pilot for our XP rollout, I'll be keeping my admin rights even though the majority of users who did have this before will be using them.
Finally there will be no need for me to dual boot! ;)

I feel I need to post in defense of users.

They are not all idiots, although it may seem that most are. They are individuals.

I understand the arguments to lock down computers, but I feel that if a balance is not maintained creativity is stifled.

It's seems easy to measure the cost savings of locking down PC's, but loss creativity and innovation is not quantifiable.

I was hired into my department about 14 years ago. For over a decade I was the techie guy in the area. I experimented wildly with different software to find the best solutions. During that time I was able to document that that innovations that I came up with saved the company hundreds of thousands of dollars. Also during that time, no one in my department made a single call to the tech support area of anything. Not once.

Then a couple of years ago they locked down our PC's. I was given the argument that I, as a user, was costing the company too much money from support calls. I told them to check thier records, but they locked me down anyway.

Since then I have called tech support. I was hit with the blaster virus. It seems they forgot about my PC when they pushed out the latest windows updates.

This has ended up longer than I meant it to, but I just wanted to say, not all users are idiots.

Thank you.

This has ended up longer than I meant it to, but I just wanted to say, not all users are idiots.
Of course, not everything is black-and-white. Note I stated there are two kinds of power-users. Similarly, not all IT is competent/clueful. It isn't an ideal world. That said, lockdown has its advantages for the idiot users, of which there are many.

I'm lucky in that I have local admin rights where I currently am... and in my previous job, the company was arranged such that the developers (of which I was one) all had root privileges as necessary, but the salespeople were more locked-down.

--janak

I'm a consultant, and occassionally I work for longer periods at a client site. The client usually wants me to use their equipment. I decline, saying that I use software that they don't. They usually grant me access priveledges for my notebook. End of story.

I realize that this situation is different from being an employee, but I think one of the problems with people in companies is that they don't think of themselves as being self-employed. We are all self-employed and have the ability (and perhaps the duty) to negotiate, challenge, assist, and whatever for our own interests as well as the company's. The contract, whether formal or informal, between a person and a company should be beneficial to both, with equal give and take. It sometimes takes cajones, but in the end it is worth it.

Just my $.03 worth (consultants get more).

...our current win98 clients.... ?????:multi:

Yikes!!! It's no friggin wonder folks are trying to hack their way out of the 6mm visionary box that you've got them locked within.

IT is a "support" function, period. Try "asking" your customers what they need.

The tail isn't supposed to wag the dog.

...The purpose of an IT department is to work, however the goal of most IT departments is to make their job as easy and convienent as possible and eliminate work, even at the very expense of the users who are the whole reason their job exists. The real goal of an IT department should be to optimize the efficiency of their users, to increase their productivity, which ultimately will increase the value of the company. The company will need to grow, their departments will grow, and they will move up the ladder...

I agree with this.

First, I used the word fascist (even if I misspelled it :oops: ). It is a strong word, and the :D right afterwards was supposed to show the humor!

I agree with the last post, however - IT is supposed to support, not constrain. I see from the posts on this subject that an incredibly LARGE number of viewer of this site are IT professionals.

I work in a university IT department, so we basically have to give local admin rights to people or else they'd bitch, whine, and moan that they can't install and run a piece of software they need for their research, etc. The standard suite of software is all free - the rest the individual departments have to pay for (with the exception of certain Microsoft software, which is covered under a site licence for unlimited installs, but a form must be filled out for tracking purposes).

Giving people local admin rights can sometimes be an extreme pain-in-the-ass, but it's even more of a pain-in-the-ass to have to go and install software for people as they need it. There's only 3 of us to cover 1000 computers (albeit some computers are covered by technicians in departments and faculties), so I don't need any more work than I already have (it would probably be 3x the workload to install software, vs picking up the pieces if they screw something up with local admin rights).

i NEED local admin rights.
don't want to run to the IT department all the time because i need to install an FTP program, or an update, or even activesync for my pda.

when i started at a large austrian airline company, my pc was locked. no photoshop, no ftp, just frontpage. well since i'm their webdesigner, i needed all kinds of programs, like cuteftp, homesite, gif-animator (that was before imageready) etc.
since i just noticed step by step what i was missing, i bothered those IT guys quite a lot at the beginning. in the end they told me to leave them alone and gave me local admin rights.

but i do understand the need to lock a system up. hehe, when i look at what all my colleagues are able to do to their system, i'd be surprised if it survived a week without going down.

The trouble with IT is that they simply do not get IT. I am an employee at a health care facility, and they have thing locked down so tight that no one is willing to use the computers.
If you work in the health care environment, then you are likely acutely aware of HIPAA....which is more than likely the reason your machines are locked down so tightly.

Health care is certainly a unique challenge for IT Pros. *Timely* access to patient care info is SO important in making the appropriate decisions about patient care. But that doesn't totally forego the need to protect that information.

I see from the posts on this subject that an incredibly LARGE number of viewer of this site are IT professionals.

Given the tallys in the poll thus far, I was rather surprised to read the overwhelming majority of comments coming from IT pros who favor (for mostly good reasons) the 'lock it down' mindset.

By contrast, I find it rather mindboggling that, according to the poll tally at present, so many people seem to feel using a piece of equipt their employer purchased should be theirs to do with as they please.

Either a lot of those who cast a vote in the poll aren't practicing what they preach, or a lot of those who voted aren't submitting comments to the thread. I'm going to assume the latter is the case. :)

By contrast, I find it rather mindboggling that, according to the poll tally at present, so many people seem to feel using a piece of equipt their employer purchased should be theirs to do with as they please.

Very good point. I actually had a conversation with one of the senior executives at one time regarding this. His PC kept crashing becuase he kept installing kids programs for his little one. I told him that as long as he kept doing it, we'd probably have to keep ghosting his machine and he'd have to spend time setting up his workstation every time.

He asked me how he was supposed to get these programs up and running for his kids. I told him to check out www.dell.ca. He did. 8)

reminds me of when Network Sevices found out I had kazaa running on our network..........I pretended that it was the guy who had just quit. They knew it was me but could'nt prove it :twisted:

reminds me of when Network Sevices found out I had kazaa running on our network..........I pretended that it was the guy who had just quit. They knew it was me but could'nt prove it :twisted:

Why are you running Kazza at work?

reminds me of when Network Sevices found out I had kazaa running on our network..........I pretended that it was the guy who had just quit. They knew it was me but could'nt prove it :twisted:

Why are you running Kazza at work?

When I used to have dial up at home, I connected my CF reader at work. I downloaded tons of music at work and transferred it home via my CF card. You could not imagine the party we would have at work. No one knew where I got all of that cool old school music from :)

Gee, didn't this forum create a huge responce...and not even directly related to the PPC.

I am an IT Manager for a medium sized Australian manufacturing company and unfortunately there is no right answer in all of this. IT support is extremely expensive hence most companies lock down the OS. But we/they do this because users ignore policies. We would rather not lock down any PC's as its easier to support PC's if users have admin rights. As we all know there are still large numbers of rogue software that will not run without the user having admin rights.

BUT people dont take notice of IT policies, they install P2P software, they download music, they install games etc etc, so we are forced to lock them down. In the end the users make the decision for us.

reminds me of when Network Sevices found out I had kazaa running on our network..........I pretended that it was the guy who had just quit. They knew it was me but could'nt prove it :twisted:

Why are you running Kazza at work?

Fabulas: You still don't get it? He is not really asking you why you are running Kazaa but to demonstrate why there is the need to lock down machines!

On a separate note, it seems many of us work for Fortune 100/50/10 companies (I think we are Fortune 50). I think we should start naming names! :mrgreen:

IT is a "support" function, period. Try "asking" your customers what they need.

Wow! Why hadn't I thought of that! I just need to ask our users!

Glad to hear you know that much about the place I work..... :roll:

Actually, it's because of our users that we haven't upgraded yet (and partly because of the resources it requires to do that kind of operations).

I work at the law faculty at the local university and most of our users couldnt care less if they used windows 3.11 or Longhorn. I has taken us 3 years to convince our large remaining user base to shift from Word Perfect 5.1 to Word Perfect 9! (last one changed in september and only because we could document that win98 was near EOL and WP5.1 wasn't on the XP ACL (hey! just went looking for Application Compatibility List, and can't find it anymore!??)) We take one "battle" at the time. We have last year finished our move from NT to 2000 serverside, and now we have almost used a year to prepare our WinXP installer system (we do other things in between:wink: ). Cool system btw unlike SMS this system will deliver the packets immediately and not somewhere in between now and tomorrow....

Regarding power users:
When we upgraded from 95 to 98 on our clients we found machines who had been running for 7 consecutive years without us (it-dept.) having to do any kind of maintainance what so ever (other than the automatically AV-update). You know why? B/C the user had used the computer (daily) to what it was supposed to be used for: writing letters in WP, using excel, outlook and IE. Then we have a handfull of "power users" who takes up more than 1½ full-time person because they manage to always screw up their computers with fancy installs...

The tail isn't supposed to wag the dog.

Again, nice of You who sits 5000 miles away to tell me how things are.. :roll:

Most of the people employed here write papers about legislation. They just want their computer to work as an oversized typewriter that can do mail and surf the net. They hate it to change -since then, they have to use valuable time off from something else to use to learn something irrelevant.
A small population of TAP's use frontpage and acrobat, and 2 or 3 persons use exotic programs like SAS or SPSS. Besides that, people in the administration use citrix to connect to the university's common administrative tasks.

Now, where in this scenario do you see the immediate need for us to force WinXP before time?

Actually we have no mandate whatsoever to enforce _any_ kind of control over our users (besides max size on mailbox (wich btw came about only after having an exchangeserver crashing after having it hit the max size)).

To put this on edge, we have asked what to do if we where to find illegal mp3's or child pornography on their machines or server drives (of course we would only have legitimate access to theese parts if something failed). The answer: Not a darned thing!
We just have the right to stop things from destroying the system as a whole and that's it!

They have the law on their side to exercise their right to study, and mp3's or child pornography might just be there because of that.

So please take your dog and its tail elsewhere! :evil:


When i started 2½ years ago, we used 110% (we couldn't keep up) of our time to "pull out fires".
By the fortune of an excellent new "CTO" we managed to convince of the good thing it would be to standardize the hardware. So now, instead of maintaining 41 (!) different ghost images, we are now down to 4.

Now, the support function (hey, now we can actually do other things!) spends 80% of its time supporting 10% of the users. 9% of theese 10% consider themselves as "power users"....

With a new automated installer system we expect to cut something like 60% of the calls to a "hit the button" call.

Then we will actually have time to help the users. Like doing proactive stuff and hold courses in how to use the computers (lots of people here dont know how to use the start button and/or explorer). Hey! We might even have time to evangelize the pocketpc! :lol:

So from somewhere with absolutely no control, I can wholehartedly understand why some companies choose to lock their computers down. But of course, theres a fine line between control and insanity. I can understand why the refresh rate is controlled, but a call to support should be able to change that. Then again remember, just because you are able to figure out not change your monitor to a non supported refresh rate, be sure that someone out there are perfectly capable to change it on that brand new 24" monitor that just replaced the 21" he just sizzled....

I installed a few things on my work machine. But I knew we were all being let go in a few months anyway, so I wasn't too worried about getting in trouble, lol.

I'm an analyst in an IT Training department of one of the top 3 mutual fund companies in the world. Our systems are locked down pretty tightly, ever since we converted from NT4 to W2k last year.

I think it's made it easier for the tech support folks to keep things running smoothly with the higher number of locked PCs. That being said, they've adopted a sort of "below the table" technique that seems to work really well. If you ask for a bunch of stuff to be installed, they'll come down to your desk and talk to you, kind of scope you out. If they're confident that you know what you're doing, they'll give you admin rights and let you do what you like. That's me. :mrgreen:

If they get a bad vibe from you, they'll just do the installs themselves. It seems to work pretty well, as the "stupid screensaver people" get filtered out fairly easily.

I do NOT agree with the POV that associates should tell the IT department what they need and the IT department should just give it to them. There are many aspects to keeping things running smoothly that users know nothing about. The IT people have the big picture in mind - users are just looking at improving their own little corners.

So please take your dog and its tail elsewhere! ....

Organizations both large and small, are increasingly doing just that - out sourcing their IT support functions in an attempt to gain a level of pro-active support which better enables them to service their external customers.

What I find most troubling about this discourse here is that people somehow think the PC they use at work is theirs to do with as they please. WORNG! The PC belongs to the company you work for, that hired you to do a specific task. Last time I checked job descriptions none of them spelled out “customize” as you please. Much the same way you would not to go AVIS rent a car and pimp it out because that’s what you like, that’s your style, this reflects your personal tastes. Hogwash people. What is even more interesting is that most people would not put half the garbage they install at work on their home PC because they would have to pay someone to “fix” it later on.

Yes, I agree there are power users out there, but they are not the ones usually complaining, they take good care of themselves. It is always the clueless that scream the loudest – yeah you know who you are. Locking down PC’s is just part of IT job, just like selling is part of the sales etc.. Now let’s get realistic about things here, you people think that locked down PC is the absolute totalitarian approach to restraining your work freedom. Ask around “dark rooms” ask about packet logging and proxy reports. I have done some work for an energy company that archives 300 gigs of compressed router logs every month. That’s just one department. Key logs belong to another and they go into Tb. Locking down of the OS is the least of your worries, so quit whining and be happy you still have a job because we know exactly what you do “at work” and yes we do read you mail because there is nothing better to do in the spare time when we finish our LAN party.

be happy you still have a job because we know exactly what you do “at work” and yes we do read you mail because there is nothing better to do in the spare time when we finish our LAN party.

:lol:

Instead of one of theese (http://www.thinkgeek.com/tshirts/frustrations/31fb/), why can't I get one that says "I still know what pr0n sites you surfed last summer" :twisted:

I perform IT audits. Remember, your IT department answers to management, so if they don't lock down your system and something happens, management is going to be asking them why they did not prevent it. Even if nothing happens, someone like me is going to come along during a routine audit and ask why systems are not locked down. This often leads to the IT department having to answer some tought questions from management.

be happy you still have a job because we know exactly what you do “at work” and yes we do read you mail because there is nothing better to do in the spare time when we finish our LAN party.

:lol:

Instead of one of theese (http://www.thinkgeek.com/tshirts/frustrations/31fb/), why can't I get one that says "I still know what pr0n sites you surfed last summer" :twisted:

i love that t-shirt, people just don't get it.

What I find most troubling about this discourse here is that people somehow think the PC they use at work is theirs to do with as they please.

What is your point? No one disputes that corporate PCs are corporate property. But when corporate any corporate policy, whether it be locking down pcs or a restrictive code of conduct, prevents you from doing work in the most productive way possible, that policy is costing the company money. Overall *efficiency* must be the ultimate deciding factor in all of these types of business decisions, not some individual legal or administrative idea.

Simply put: the IT people need to realize that the company is in business and will stay in business only if it is efficient. Reducing work for the IT department at the expense of creativity and productivity in the rest of the company will only result in the eventual failure of the company.

Stifle innovation with overly restrictive policies, and there is only one sure thing: that your company will die.

It sometimes takes cajones, but in the end it is worth it.


Sorry, but cajones means Drawers
you meant COJONES

I run a software engineering team within a large corporation.
Over the last several years we have seen more of a lockdown on the desktop systems used for administrative functions on the corporate intranet, such as email, ecommerce, accounting, etc..

The vary nature of software development, especially in a Windows environlment, requires specialized software and control of the OS levels.
In some cases, my team requires bleeding edge software. In supporting our external customer base, we often require access to out dated software and OS's.

This caused many "discussions" over the years with IT, Corporate Security, and my upper management. Finally, we were able to acquire separate laptops to be used on the corporate network. On these systems, we operate as good corporate citizens.

We have isolated our development networks where ever possible to reduce the risks of viral infection.

This was primarily accomplished by developing a business justification based on dollars and cents. This also takes the "emotion" out of the process, as well. On an individual basis, this may also be accomplished if you can prove that the software you "require" allows you to be more effective at your job.

i love that t-shirt, people just don't get it.

Present tense or past tense might have something to do with it :lol:

Having worked on both sides of the fence (support & in userland) I have to say - having a *Sensible* lock down policy is wonderful. But most places I have worked out have not had such great policies. As a tester I often need to use various non-corporate-standard pieces of software and it can be very difficult & time consuming to get these installed – if they are allowed at all.

Making friends with the local tech support & getting the admin password is often the best way. :wink:

I believe that the best policy is a reasonable lockdown for most users (allow screen refresh rate changes etc, none of that ‘control-freak’ anal-retentive over-prescription), BUT with the option for individuals (power users) to ‘opt out’ by signing the necessary bit of paper that says they can have admin right, but that they are on their own regarding support. Any problems, then say hello to Mr Ghost. This policy has worked well in the two places I have worked that used it. When people are given responsibility & know that they are accountable for their own actions, then they generally react well and tend not to mess things up (too much).

Too much control is bad, but no control is worse. I once worked as tech support at a call centre where there was no controls on the NT4 machines. Some users had 2Gb roaming profiles! And they wondered why it took so long to log on in the morning. :lol: Talk about inappropriate screensaver etc as well! 8O

It’s all about balance in the end really. What suits one organisation won’t suit another.

Almost everybody uses a phone at work. Do you change the ear piece? (not counting adding a hands-free), the cables?, bring another phone from home?, paint it yellow or red? NO, Why? because its a company phone, you dial, talk, hang up, and that's it.
Most company phones have a lot of fancy functions, like caller id, conference, speakerphone, etc. and cost a lot more than anything you might have at home (Last time I had to buy Avaya phones for the call center using predictive calling, each was around $400 USD)
Why don't users get the point that their company issued computers are the same as phones, staplers, pens or whatever.
I've had, as an IT Manager to handle HR people who HAVE TO INSTALL the Post-it software in their computers or else they will not be able to hire anybodo, or the authoritarian manager or director who will get you fired unless you do as he asks, and troubleshoot Barbie's first digital camera his daughter got for christmas and he cannot get to work on his company laptop, that happens to be the only computer he or his family owns, and has the complete family photo and music album, all the pornography his teenage son downloads from the internet, using a company issued dial-up account, his wife's seasonal calendars, cards, and home business software and data.
This may sound extreme, but it's common in loosely IT managed companies, specially with Managers and Directors that get the most expensive laptops and gadgets, you may say this only happens in Mexico, but it happens in most non Fortune 500 companies all over the world, where they don't have the resources to install a W2K Active Directory/User-Nightmare backoffice to control each user's computer.
In my case, I had the entire IT department document extensively each support case for about 6 months, once we identified the "troublemakers" (mostly type 1 power users that "think" they know) we began planning the lockdown strategy along the W2K roll-out.
NONE of the core operational areas of the company (including 3 call-centers with more than 1000 users each) had any problems after the upgrade/lockdown, maybe 1 or 2 supervisors complained that they couldn't have their victoria's secret catalog wallpaper. We issued a document, that Everybody had to sign stating the ownership of the computer, serial numbers (even of keyboards and mice, users keep changing them don't ask me why), and the software they were allowed to use, we had to personalize this quite a lot but it was worth it.
Six months later, we hired an external IT auditing company, and went from the Latam VP down to the lowest levels of the organization. Most IT personnel got yellow and one or two a red flag (they have local Admin Rights) for MP3s or non-standard software. From the locked-down users there were almost no flags. IT support costs have dropped dramatically in the last year, the company hasn't had to invest in more IT positions, the up-time of the mission-critical servers has more than tripled, the datacenter now looks like a datacenter and not an old abandoned warehouse, un-used IT budget from each company area has reflected in newer equipment, hand-helds for sales and technical staff, higher quality internal magazine, MACs for the designers (finally!!! they say) salary increments for all IT staff, and general productivity increase of almost 50%

Conclusion: YES I DO SUPPORT LOCKDOWNS EVEN IF "POWER-USERS" WHINE AND COMPLAIN

P.S., sorry for the length

Speaking as someone who was 'ousted' IE Dismissed, for "Gross Misconduct" relating to "Inappropriate use of company resources" , IE their laptop, I am a bit surprised at the "It's mine to do with as I wish" comments.

Moreover, how easy it is for a company to justify whatever they like to users who have the ability to make use of their PC's through 'Admin logons' - talk about an easy way to maintain your staff; let them loose with their PC's with a simple "Don't or else", and then, when it suits, use the disciplinary procedure to "downsize" as required.

Cynical? Nope - been there, seen it, and done it as well.

Brought me to a higher level of understanding of irony - my "Misconduct" was the charges raised through dial-up networking ($800 in a year) and the use of Pocket Streets... and that as I deleted everything off the PC before letting them have it back for examination prior to the review, that I therefore had something to hide.

I was dismissed by a director who had simillar on his PC, and higher charges. :roll:

Ah well :lol: Wouldn't be where I am am if not for them!

Fortune 500?

It was Shell :wink:

Almost everybody uses a phone at work. Do you change the ear piece? (not counting adding a hands-free), the cables?, bring another phone from home?, paint it yellow or red?

Actually, I brought in my own phone from home so I could use a cordless and be able to wander my office while on the phone rather than being tied to one spot. Also, years ago, before we had voicemail at our office, I brought in my own answering machine.

Almost everybody uses a phone at work. Do you change the ear piece? (not counting adding a hands-free), the cables?, bring another phone from home?, paint it yellow or red?

Actually, I brought in my own phone from home so I could use a cordless and be able to wander my office while on the phone rather than being tied to one spot. Also, years ago, before we had voicemail at our office, I brought in my own answering machine.

A poor example on my part, if you have an Avaya phone system with digital lines, you could bring your cordless phone from home, but it wouldn't work...

Sometimes users do Need to do things that the corporate standard won't let them. These users are usually developers/testers, but there must be exceptions to the lockdown system somewhere.

I have called tech support up multiple times to try to install SW used for testing, but if they won’t let you install it & you aren’t allowed to use a ‘scratch’ computers, then you can’t do the job you were hired for (or at least not to it to your full potential or to the company’s maximum benefit).

If your company gives you a saw, but you need a hammer (and they won't let you get one), then what do you do?

If your company gives you a saw, but you need a hammer (and they won't let you get one), then what do you do?
Prepare a presentation detailing why you won't meet your deadline? :roll: :wink:

If your company gives you a saw, but you need a hammer (and they won't let you get one), then what do you do?

If that really is the case, there are some fundamental problems with management. I would be looking for something else.

Our PC's are locked down very tightly. I have never had a problem getting any thing I asked for installed. If it could not go on the network (for security reasons), I have a stand alone machine also. We are in the process of building a seperate test network so we can install and play with some of the audit tools we are planning to use. Plus I have a personal machine I was allowed to set up stand alone to be my jukebox (plus I dial out on it to trade stocks at lunch/break since I can't do that over the office network).

The purpose of an IT department is to work, however the goal of most IT departments it to make their job as easy and convienent as possible and eliminate work, even at the very expense of the users who are the whole reason their job exists.

I don't intend to insult the above poster, but I am intrigued by the disparity between the beliefs of IT users, and the messages those users send to the IT departments. The goal of every IT/O department I've ever worked in, was to keep the systems working within their budgetary constraints. The important part has always been the "within their budgetary constraints" part because the IT users determine the IT budget - we always provide as much support as the users are willing to pay for, but the users want *everything* for free.

My current employer had a $3 billion (with very little "fluff") IT/O budget in 2002; in 2003 the budget was reduced by more than $1.5 billion. 90% of the technology staff was outsourced; the outsourcing company low-balled the contract amount in order to get the account, with a comparable drop in available services because all non-scheduled (they call it "ad-hoc")service is now provided ala carte.

The users are complaining that they can't understand why the level of support has dropped.

If my car's gas tank holds 25 gallons and I only fill it with 5 gallons, would I be correct in complaining that I'm not getting 25 gallons worth of mileage from the 5 gallons I paid for?

We can only provide consistent levels of support, by restricting the builds on the majority of desktops unless the user is willing to pay for a dedicated support group. Every IT user wants the dedicated support until they get the bill.

The first thing I did after receiving my new laptop from my company this year was to remove everything from it.

This included the operating system too, as the IT department (in their effort to "standardize" everything, I'm sure) removed the factory-installed Windows XP Pro OS and Ghosted a Win2K OS onto it instead. Of course, the OS wasn't the only reason for creating install images-- there were several organization "standard" applications that I'd never use installed on the machine and taking up space... Not to mention the lack of admisitrator rights to the laptop....

I took care of it all by simply eliminating it and starting with a clean WinXP slate (ensuring that I had the appropriate licensing, of course-- wouldn't want to violate any laws). As a result, I now have administrative rights to the laptop, don't have their intrusive software inventory monitoring tools installed, don't have their useless software installed, and can do anything I want to/on the machine. I'm now in the process of setting up a domain at my home and the laptop will likely join it by the time I'm done as well...

Oh, and by the way, since I did this in March 2003 I have had a total of 0 calls to our IT staff. The laptop has been kept virus-free, spyware-free, and problem-free.

To those of you who would scream bloody murder over this and say that it's company property and I've over-extended my authority, I would say this... It may be company property, but it's something I have to work on every day. It's something I have to deal with every day. And as long as I'm willing to take the responsibility for correcting problems as they occur, it's my business about what themes I use, what resolution I run at, and what apps I install.

Next project: bringing an 802.11b WiFi AP into my office... ;)

clrankin:

I hope when someone hacks into your company's network through your AP then you get nailed for it then - which you should have no problem with since you are very confident with your abilities.

While you are at it, since your desk is something you have to work on everyday, you should also be able to cut it in half, paint it in red, and rearrange it so you face the window as well. :roll:

clrankin:

Are you connecting this machine to the corporate network? If so, you cavilier attitude puts their entire network at risk. Since you seem to think there is no problem with this, I assume you have notified management that you have done this. If I audited your organization, your actions would be considered a breach and reported as such.

I agree with the above posts. Your attitude is extremely irresponsible and unprofessional. Whether you believe it to be true or not, you are jeopardizing the security of your organization and its data.

I agree with the above posts. Your attitude is extremely irresponsible and unprofessional. Whether you believe it to be true or not, you are jeopardizing the security of your organization and its data.

Did I miss a post or something?

Sorry all for the missunderstanging

Did I miss a post or something?


I think we were all responding to clrankin, which does look kind of like your name. :D

Clrankin, I do hope you are joking. What does your company IT policy say about all this? If it's anything like most of the companies I have worked for then it would be grounds for dismissal.

You can understand why most folks here are reacting with horror at the thought of all those security breaches.

Next project: bringing an 802.11b WiFi AP into my office...

I Really hope that is a joke……. :?

Did I miss a post or something?


I think we were all responding to clrankin, which does look kind of like your name. :D

Correct. I should have quoted that post. Sorry for the confusion.

I have just completed an audit of a large wood product company that uses a contracted service for its IT support. The IT support people thought it would be cool to have a wireless network set up for their own play. Naturally it was all open, we used it for 9 days to do various scans and sniffs and the IT guys did not even clue in, nor did the company that hired them for professional services. You can imagine what happened next when they did find out, once we told them to shut it down, and when it showed on the report. It is ignorant approach to IT from end users like that of Clrankin that wrecks it for everyone else. Security is seems is always compromised for the sake of convenience which is wrong so I truly hope you get hacked Clrankin. Then again if you think you are so clever why not join the IT side of things and make this world a better place for all – since you are already so good at it – this should be a breeze?

What I find most troubling about this discourse here is that people somehow think the PC they use at work is theirs to do with as they please.

What is your point? No one disputes that corporate PCs are corporate property. But when corporate any corporate policy, whether it be locking down pcs or a restrictive code of conduct, prevents you from doing work in the most productive way possible, that policy is costing the company money. Overall *efficiency* must be the ultimate deciding factor in all of these types of business decisions, not some individual legal or administrative idea.

Simply put: the IT people need to realize that the company is in business and will stay in business only if it is efficient. Reducing work for the IT department at the expense of creativity and productivity in the rest of the company will only result in the eventual failure of the company.

Stifle innovation with overly restrictive policies, and there is only one sure thing: that your company will die.

Perhaps you misunderstand me. There is a difference between the NEED to have and the WANT to have. You man want to have, personalized wall paper and cursors etc but you don’t need to have it, you don’t need to waste time thinking of changing it and finding new ones. In my IT years never once did we say NO to an end user when the need was justified. The onus is on the end user, however, to prove that they need this or that piece of software/access/whatever, just because they want it does not mean they need it. Want and Need are two fundamentally different concepts that people have trouble understanding. It would be more efficient to leave the PC’s on all the time and not to have users log in and out, but it would not be wise. A company of 10K employees could save an average of 2 minutes/employee/day on the boot up + login process + login support – think how efficient that would be, smart not at all. There are costs associated with running an efficient business and the cost of IT wizardry is just a small part of it but a very crucial one.

The company I work for ($12B in revenue yearly, 15000+ employees worldwide) still runs Win95 as the standard desktop image, although it was just announced in last quarter of 2003 that new hardware installs will be running WinXP.

As a user, I have been frustrated over the years at the difficulty to get software, etc in order to do our job - I work in Technical Publications, and several years ago, we switched over to using digital photography/artwork exclusively - imagine such a thing! Getting imaging software, image browsers, etc. was a real hassle in the beginning, until I finally had a chance to explain to IT what we were wanting to do. Since then, it has been fairly straight forward to add new software when we need it - I usually test the software out on a standalone machine for a week or two, and then ask IT for approval to install. We have gotten a lot of support from IT for this approach - basically respecting them and their job, and the corporate infrastructure, but also letting them know our needs.

I see the other side, though - I simply can't believe the people in our department who think there is nothing wrong with loading Kazaa on their office computer, or who download all sorts of plug-ins and other crap, and then bitch because their PC is so slow, and crashes all the time. We even have users who come to me with questions like "Should I click yes or no when it asks me if I want to open the file as read-only?" (this is a true story - it happened!).

So my feeling is - lock down the PC's - lock them down hard! But make sure department managers realize that requests for software installs/upgrades will be considered as long as there is a valid business reason. Let's face it, if you can't make a valid argument (productivity, cost savings, etc) for anything you want to do at work, why are you bothering to ask? I don't have much trouble getting the software or updates that I need to do my job better, but it starts with some respect for the purpose and objectives of an IT department.

The first thing I did after receiving my new laptop from my company this year was to remove everything from it.

This included the operating system too, as the IT department (in their effort to "standardize" everything, I'm sure) removed the factory-installed Windows XP Pro OS and Ghosted a Win2K OS onto it instead. Of course, the OS wasn't the only reason for creating install images-- there were several organization "standard" applications that I'd never use installed on the machine and taking up space... Not to mention the lack of admisitrator rights to the laptop....

I took care of it all by simply eliminating it and starting with a clean WinXP slate (ensuring that I had the appropriate licensing, of course-- wouldn't want to violate any laws). As a result, I now have administrative rights to the laptop, don't have their intrusive software inventory monitoring tools installed, don't have their useless software installed, and can do anything I want to/on the machine. I'm now in the process of setting up a domain at my home and the laptop will likely join it by the time I'm done as well...

Oh, and by the way, since I did this in March 2003 I have had a total of 0 calls to our IT staff. The laptop has been kept virus-free, spyware-free, and problem-free.

To those of you who would scream bloody murder over this and say that it's company property and I've over-extended my authority, I would say this... It may be company property, but it's something I have to work on every day. It's something I have to deal with every day. And as long as I'm willing to take the responsibility for correcting problems as they occur, it's my business about what themes I use, what resolution I run at, and what apps I install.

Next project: bringing an 802.11b WiFi AP into my office... ;)

I won't even bother to address your post point by point. You really shouldn't do things like that, especially with a corporate laptop...

Steve

Post edited by moderator SCJ for niceness... :wink:

The company I work for ($12B in revenue yearly, 15000+ employees worldwide) still runs Win95 as the standard desktop image, although it was just announced in last quarter of 2003 that new hardware installs will be running WinXP.

As 95 is no longer even supported, I would define this as gross negligence on the part of management.

Post #1000!

Wow. There are some energetic arguments here! The problem I sometimes have, though, is that it's seldom a black-and-white issue. Sure, completely wiping the disc and installing a new OS is one thing, but what about the other "little" things like:

wallpaper
music files
photos
personal e-mail messages
etc...

It's a fine line to walk, especially if you were to consider personal e-mail a similar breach of corporate policy.

I won't even bother to address your post point by point. You really shouldn't do things like that, especially with a corporate laptop...

Steve

Post edited by moderator SCJ for niceness... :wink:


I would like to second that motion!

I sure see you as being fired with enthusiasm over your progress, soon when the management finds out, you will be fired with enthusiasm....and the IT boys will put another notch on the post.

....and the IT boys will put another notch on the post.

And IT departments wonder why people think they are out to get them and don't want to help? Apparently it's more fun to catch people doing something wrong than to help them get it right!

There should not be an us against them mentality in any IT department, sorry but those end users that screw up are your customers, whether you like it or not. If those of us that directly served external customers had that same attitude towards those customers, most of our businesses wouldn't even exist anymore.

whydidnt

Okay - I think we've had enough people flaming Clrankin now. ;)

Why don't users get the point that their company issued computers are the same as phones, staplers, pens or whatever. (emphasis mine)
This would result in a lot of stolen computers. :lol:

Why don't users get the point that their company issued computers are the same as phones, staplers, pens or whatever. (emphasis mine)
This would result in a lot of stolen computers. :lol:

My thoughts exactly. :D

My job is to provide tech support for a hospital. Last night at 9pm, I was called away from my meal with friends to fix a PC in the emergency room. No problem; I signed up for that, right? One look at this PC's desktop showed me that one of my colleagues had been there before to clean off downloaded crap that was causing problems: the installation program for cleaning software was still on the desktop. It didn't take me long to figure out that someone or something had simply disabled the NIC, something that probably wouldn't have happened if we had restricted rights on the machine. The users complained of pop-ups, so I spent some time removing spyware. This is merely one example of what we go through in an institution with over 6000 networked devices, at last count, which was a couple of years ago. Those users think nothing of installing Webshots, Bonzi Buddy, Weatherbug, Spinner, Kazaa, Date Manager, Precision Time and a host of other applications which have little to do with work. Do you think it's easy providing excellent service when we have to take time out to track down the people who are responsible for the latest "cease and desist" letters we've gotten from the RIAA?

Incredimail is another pet peeve. I had to move some users over to our Exchange server, and wouldn't you know there is no way to import/export Incredimail to Outlook? I didn't feel extremely bad about telling them they'd have to forward the mail to themselves or lose it. The ringleader of the Incredimail incident was always downloading and installing anything and everything he got his hands on; we had to go fix his computer weekly, because they'd call and complain he wasn't able to work. I'm all for allowing people some freedom, but I was quite happy to give him his new PC, because we locked that sucker down! And yeah, it's true that not all the applications on my PC are standard, but I'm not going to be calling the Help Desk to send someone out to fix what I break, and I'm not going to be interfering with patient care because I decided a cute screensaver program was just what I needed, or because I got a new computer and decided not to wait for the support staff to properly assign me an ip address, thereby kicking a critical machine off the network (ok, not so much of a problem after Win2K, but it sucked majorly when we had Win95). There's a reason our call queues have less than 40 calls, instead of over 400, and it has nothing to do with giving people the ability to customize to their hearts' content. If we eliminate work by making sure stupid people can't interfere with operations, then we make sure that doctors, nurses and desk clerks can do their work.

Try to remember that we might seem like the bad guys, but we do these things, because people have caused problems. Big problems. Maybe some of you wouldn't, but maybe some of you did. If every user behaved, we wouldn't have to lock the machines down. If you can find a better way, then please let the world know. Most of the time, I don't like keeping people from doing what I myself enjoy. We have an entire department who must sit at their desks for 8 hours, and they cannot even surf the web on their lunch breaks, and it really pains me to know that. One person misbehaved, and now they all suffer. I suspect this is the case for most of you whose computing experiences are restricted.

No one in my department is allowed to have games on hospital-owned computers, so I've ALWAYS lugged my own laptop to work with me!

If we didn't have robbers, would we need cops?

Clrankin, I do hope you are joking. What does your company IT policy say about all this? If it's anything like most of the companies I have worked for then it would be grounds for dismissal.

You can understand why most folks here are reacting with horror at the thought of all those security breaches.

Next project: bringing an 802.11b WiFi AP into my office...

I Really hope that is a joke……. :?

Yes, the 802.11b access point part of it was intended as a joke, although our IT staff has just come out with a policy that allows us to use wireless APs in our offices if we (1) register the AP with them, (2) enable WEP encryption, (3) enable MAC address filtering, and (4) change the WEP encryption key "regularly" (that means once about every 3 days to me). But everything else is true... When I received the laptop, off went Win2K and on went WinXP, as well as several other things which make working on the lappy a little more convenient.

Does my management know about this? Yes, to a large extent. My direct manager and his manager (both friends and knowledgable about computers too) have done similar things... There are three Win2K server boxes in one of their offices (I have administrative rights and am joinly responsible for managing all of them). The other doesn't even run Win2K-- he's got Red Hat installed as his primary OS and runs an instance of Win95 (or is it 98... it's been a while since I've checked) when he needs to access Windows apps. None of this is necessarily done with any amount of support from our corporate IT department. The only thing they know is that there are three boxes which are servers and require static IP addresses... IIRC, the form that we filled out basically asked what project(s) the boxes were for, who was responsible for managing the boxes, and when the project/contract was over.

IMHO, it's nice when you don't have an overbearing IT department lurking over your shoulder every minute of every day. It makes it much easier to get the job done...

Now, all this should be said keeping a caveat in mind... Since none of these "modifcations" have been installed by our IT staff, none of them are supported by them. That means that if (or when, depending upon who you talk to) something goes wrong with my WinXP laptop, I'm responsible for fixing the problem on my own time. The only support I'll get from the firm comes in the way of "back up your files, bring the laptop down here, and we'll re-image it with Win2K". And that's just fine with me, being that I've got plenty of experience in troubleshooting things myself... I've successfully set up and managed several small networks for homes (and a few small businesses) for a few years now, and do have somewhat of an idea about what I'm doing; it's likely that our IT staff could probably learn a thing or two from me (as I from them).

I don't mean to sound conceited, but much of what I do is done with security in mind and I do know what I'm doing. I've been in the computer business long enough to understand the importance of securing machines and protecting data, and I feel confident enough to say with a high degree of certainty that my computers at work are probably among some of the most secure in the building.

As to the folks that have said I'd fail their audit... Well, that may be the case, but then again I would imagine that if necessary I could always come up with a business reason to support everything that I've done. And since my management has known about it for some time, I would venture to guess that nothing would be done and you would likely receive a suggestion that I be left alone. If nothing else, it comes down to the old adage that says "If it's not broken, don't fix it."

All I can say is that I'm glad that I work in a place that's open enough to let me do these types of things. A few years ago I worked elsewhere and had to put up with IT department know-it-alls configuring systems, preventing software installation, preventing Internet access, etc., etc. Unfortunately, the rest of the organization was a rigid and control-freakish as the IT department (these guys even went to the extent of making sure everybody's system ran at the same screen resolution!). Needless to say, I got out there as soon as possible.

Don't get me wrong; an IT support staff has its place within an organization. It needs to be there to maintain network resources, run company web sites, handle company email servers, etc., etc. They need to be able to set some policies-- like requiring everybody to have an antivirus program installed (with virus definitions updated regularly) and requiring OS service packs and security patches to be installed. There's plenty of work that needs to be done, especially with a firm the size of the place I work at (10,000+ employees worldwide). These people are valuable-- and in many cases, if you get people that actually know what they're doing, some of the staff can become near irreplacable. I have no problem with them setting standards for an organization and telling people who go off "the beaten path" that they won't support them. (As a matter of fact, I'd encourage that type of policy.) I just don't want people telling me that I can't have administrative access to my own machine... ;)

Oh yeah, and just to add a couple more notes here...

Years of full-time, graduate experience as a software developer in the IT arena: over 5.

Years of part-time experience as a software developer in the IT arena: 4.

I'm approaching 30 years old and have been working with PCs since I was in the 7th grade. As a matter of fact, I can still remember getting excited about getting my first 8086, my dad's first 286, my first 386, 486, Pentium, Pentium II... The list goes on and on... The point I'm trying to make here is that I'm far from being a newcomer to the computer arena-- from a software user perspective, from a software developer perspective, and from a system administrator perspective. Before some of you know-it-alls decide to flame the next time, you might want to take some time to find out who you're dealing with. Remember, M-C-S-E &lt;> G-O-D... ;)

It's just too bad that some folks here don't quite seem to get the idea that it shouldn't be an us vs. them mentality when it comes to IT within a company.

And to the person that said he hopes my AP gets hacked... I'd invite you over to try and hack your way into my setup at home and get any useful information from the wired side of my network, but it would be a complete waste of your time. Needless to say, there's much more that separates my wired network from my wireless network than just a simple WEP key that can be cracked with less than a gig of data transfer. IMHO, such comments speak directly to the maturity level of the poster. If you're employed full-time, I'm sure you're a real fun person to work with-- all the charm of Nick Burns the Computer Guy combined with the tact and maturity of Archie Bunker. ;)

Maybe I'll just leave PPC Thoughts and head back to Brighthand where many of the conversations are less hostile and more mature...

It's just too bad that some folks here don't quite seem to get the idea that it shouldn't be an us vs. them mentality when it comes to IT within a company.
Agreed, to some extent, but dealing with what I call the "1st category" (see my earlier post (http://www.pocketpcthoughts.com/forums/viewtopic.php?p=198414#198414)) of power users is very difficult -- they're stubborn at times -- and I have a feeling people have taken a hard hand not out of desire, but out of necessity in certain situations. By your description, I'm assuming you fit in the "2nd category", and as long as you cooperate with IT and your company's policies, I don't have a problem with your position.

Maybe I'll just leave PPC Thoughts and head back to Brighthand where many of the conversations are less hostile and more mature...
Oof. 8O We're really nice people around here in general -- take a look at some other threads, I think people got a little too worked up about this. :| I really don't think anyone meant it personally. Feel free to PM me if you want to discuss it further or if you have feedback.

--janak

When I received the laptop, off went Win2K and on went WinXP, as well as several other things which make working on the lappy a little more convenient.

None of this is necessarily done with any amount of support from our corporate IT department.


Now, all this should be said keeping a caveat in mind... Since none of these "modifcations" have been installed by our IT staff, none of them are supported by them.

As to the folks that have said I'd fail their audit... Well, that may be the case, but then again I would imagine that if necessary I could always come up with a business reason to support everything that I've done. And since my management has known about it for some time, I would venture to guess that nothing would be done and you would likely receive a suggestion that I be left alone. If nothing else, it comes down to the old adage that says "If it's not broken, don't fix it."



I guess I am not being clear in my point. There should not be unsupported shadow systems in place that are being used for any essential business functions. As an auditor, I would look that the business case was documented and approved before you were given permission to make these changes. Again, if these things are necessary and are approved by management, then your IT department should be supporting it. If they are not supporting an essential business need, then that is a problem.

I assume your company, like most I encounter, have a written policy against doing what you have done. Just a word of advice from the CYA department, get permission in writing for what you have done. That way, you are protected if these changes become an issue in the future.

and head back to Brighthand where many of the conversations are less hostile and more mature...

Brighthand less hostile and more mature? Now that's funny! :twisted: JA

Now, all this should be said keeping a caveat in mind... Since none of these "modifcations" have been installed by our IT staff, none of them are supported by them. That means that if (or when, depending upon who you talk to) something goes wrong with my WinXP laptop, I'm responsible for fixing the problem on my own time. The only support I'll get from the firm comes in the way of "back up your files, bring the laptop down here, and we'll re-image it with Win2K". And that's just fine with me, being that I've got plenty of experience in troubleshooting things myself... I've successfully set up and managed several small networks for homes (and a few small businesses) for a few years now, and do have somewhat of an idea about what I'm doing; it's likely that our IT staff could probably learn a thing or two from me (as I from them).
That's the root of the problem isn't it? I don't believe that as long as you don't expect IT to support your system, you're not doing anything wrong. This is one of the biggest attitude changes that need to happen in the user community if IT departments are to do their jobs effectively. IT departments don't just set standards because it makes support easier (although that's a big reason). There are several reasons standards are important.

I don't mean to sound conceited, but much of what I do is done with security in mind and I do know what I'm doing. I've been in the computer business long enough to understand the importance of securing machines and protecting data, and I feel confident enough to say with a high degree of certainty that my computers at work are probably among some of the most secure in the building.
Based on whose criteria? I'm assuming that your company has an IT Security officer or group. Is it not their job to decide what is and is not secure?

To extend this point, why is it more widely acceptable to disregard IT policies? If I were to decide which HR or Finance policies were important and which I could ignore, I would be looking for a new job pretty darn fast! If I decided that the HR policies related to discussing matters with the media, I'd be fired instantly. Why is it then OK to decide that IT policies are open to interpretation? Your company is a Win2K shop. That's their environment. In my company, if someone wants XP, I tell them to buy a home computer. If you need XP to do your job, then your issue is with the IT department not responding to the needs of its customers. But to decide on your own that XP is right for you and go ahead and run it is irresponsible - no matter how much you know what you're doing.

It's a question of attitude, not skill.

Don't get me wrong; an IT support staff has its place within an organization. It needs to be there to maintain network resources, run company web sites, handle company email servers, etc., etc. They need to be able to set some policies-- like requiring everybody to have an antivirus program installed (with virus definitions updated regularly) and requiring OS service packs and security patches to be installed.
I'm not sure if you meant it to be, but that came off as very condescending when I read it. You seem to be suggesting that the IT department should be a "speak when spoken to" entity. In fact, the IT departments are becoming more and more important to the success of any company. I believe much of this attitude stems from the fact that IT departments are relatively new. The IT industry is only about 20-30 years old -- a short time when compared to other fields. Add to this the fact that most companies IT departments grew from their Administrative staff and you can see part of why they're still fighting for respect.

There's plenty of work that needs to be done, especially with a firm the size of the place I work at (10,000+ employees worldwide). These people are valuable-- and in many cases, if you get people that actually know what they're doing, some of the staff can become near irreplacable. I have no problem with them setting standards for an organization and telling people who go off "the beaten path" that they won't support them. (As a matter of fact, I'd encourage that type of policy.) I just don't want people telling me that I can't have administrative access to my own machine... ;)

I don't disagree that the talent must be retained. I am also the first to say that the primary goal of any IT department is to support the front line staff. The IT department is there to make their job's easier, not put up road blocks. Unfortunately cost is usually the defining factor. To support every indivdiual completely so that they can use whatever they need would be extremely costly from a support perspective. That's one of the main reasons standards are put in place. It allows a consistent environment, both for support and for development.

I work for a large company (100,000 staff globally) and we develop many in-house applications. Most of the applications developed in-house are business critical. In order to ensure that these apps work on all workstations, there needs to be standards.

I should also point out that there must be room for exceptions. We have a very detailed process in place for this where I work. If someone makes a business case for an application that is not standard, we have an evaluation process that will determine whether or not the installer affects our environment adversely. If it doesn't, it gets added to our list of approved software. If it does, we work with the user to find a solution. In some cases, we'll repackage installers so that they will work. In others, we'll recommend alternatives. In others still, we'll allow the users to proceed with the understanding that there may be unexpected consequences and that the stability of our O/S, network and standard applications are the priority (i.e. if we rollout an application update and your app breaks, we won't rollback the application update).

Maybe I'll just leave PPC Thoughts and head back to Brighthand where many of the conversations are less hostile and more mature...

I apologize if I came on a little strong before. It's obviously something I feel strongly about. :) It's just frustrating as you were giving voice to the perception that IT departments are not worthy of the same respect as other departments. Like I said above, would you be as confident making up your own rules with HR policies? Nevertheless, if I took out my frustration on you, I apologize. It was not intended to be a personal attack.

I reckon the co. I work for has a pretty good policy, namely that you may not install anything on your corporate PC / laptop without IT's permission. As I am not a very knowlegable computer user, I have no problem with that. I don't want to lose my job because I inadvertantly screwed the network! :lol:
They do not lock down our PC's very tightly, and they generally are happy for you to install anything you like as long as you can show that you have a sensible reason for it. If it's something that comes from an unproven source, like some design software I wanted a while ago, IT test it out first, then give us the go-ahead or refusal, depending on what they find.
Basically they treat us as though we can be trusted not to be too stupid, and by working with us, and us with them, we seem to suffer relatively few staff induced problems in the U.K. region 8)
For me, this is the way to go. :D

My only comment is this.

If your company bought you a laptop to use, then remember it is not your laptop, but rather company property. And your company can choose to either lock down that system or not - like it or not.

I've been doing IT for 10 years and believe me - a managed infrastructure, correctly implemented can work to serve all parties involved.

I bring my own computer to work and plug into the network. I don't touch the company computers without written orders. This avoids a lot of problems.