Standardization of Office Computers to District-wide Standard

The LSC, Porterville, and Cerro Coso all have removed "administrative rights" from their office computers so the users just have "user rights". This has made supporting and troubleshooting of their computers easier to do than in our situation where we have over 700 office computers that have become quite unique from each other because of all of the various installations and other "features" that have been added to the computers over the years including "malware" such as spyware, spam generators, etc. The LSC is not mandating (yet) that all district office computers have the administrative rights removed but that may happen sometime in the future. Many other CA community college districts have already done that and others are making plans to do so. (This is also standard security practice or recommendation at a great many four-year and research universities too.)

Since the Information Services help desk functions will be centralized at the LSC in September 2008, our campus I.S. is proposing that we move our computer users from the "administrator" (or "power user") level to a regular user level to help the new help desk succeed. This will help prevent the BC office computers from becoming even more "unique" as time goes on. It will also prevent users from inadvertantly causing problems by agreeing to download "helpful" plug-ins when we visit some website that doesn't have our best interests in mind. In Windows XP, one of the side-effects of not having "administrative rights" is not being able to install software. That could seriously effect some of our faculty power users' abilities to make innovations in their curriculum.

Our campus I.S. is aware of the real possibility of a future edict coming from the district administration on the removal of administrative rights on all district office computers, so our campus I.S. is proposing that we act proactively with a solution that still gives us enough flexibility to innovate in our curriculum design. The solution includes the use of a software package called "Privilege Manager" from BeyondTrust that will allow certain applications to be installed by the individual faculty/staff member and that will allow certain tweaks to the desktop or settings such as the clock so an I.S. technician will not have be tasked for every software installation. Privilege Manager is approximately $20,000. The software will use an approved application/software list developed by us, so you need to let the BC I.S. know what software needs to be on the approved list.

The moving of users to a "regular user" level will NOT mean the erasing of software already on your computer. That software will remain. Updates to that already-existing software will still be possible. It will prevent any future software from being installed without prior approval. You will be able to add to the list as time goes on, so don't feel you'll be locked out of future software that hasn't even been invented yet or that you aren't aware of at the present time. As the need arises, send your request to the BC I.S. The approved list is expected to grow over time.

The change of our computer user rights will affect the PC Windows users only. Macintoshes and Linux machines use some form of a Unix operating system that has much better control of user privileges. However, it is recommended that Mac and Linux (and BSD, Solaris) users not operate their computers under the "root" or "superuser" account that is basically equivalent to the "administrator" user of Windows. The fact that this change is going to affect the PC Windows users only may seem like an argument for going with a Mac, unfortunately, the campus doesn't support using school money for Macs except in very special cases (such as the Graphic Arts program or the music dept or the RIP). :-) The rest of us who use Macs purchased the equipment ourselves and are on our own for the most part as far as support goes.

Important follow-up points

What are "Administrators" and "Administrative Rights"?

On a computer, an administrator is a local account or a local security group that has complete and unrestricted access to create, delete, and modify files, folders, and settings on that computer. This is in contrast to other types of user accounts that have only been granted specific permissions and levels of access. An administrator account is used to make system-wide changes to the computer, such as:

Administrative rights are permissions granted by administrators to users which allow them to create, delete, and modify items and settings. Without administrative rights, you cannot perform many system modifications, such as installing software or changing network settings. Normal users have some minor administrative rights, e.g., they can modify anything in their home directories, but rights that affect the computer as a whole are normally withheld.

Hazard of Running Your Computer as an Administrator or Power User

Running your Windows 2000 or later computer as an administrator or Power User leaves your computer vulnerable to security risks and exploits, such as Trojan horses. Simply visiting an unfamiliar Internet site as an administrator or Power User can cause extreme damage to your computer. The site may have Trojan horse code that can be downloaded to your computer and executed. If you are logged in with administrative or Power User privileges, a Trojan horse could cause damage such as reformatting your hard drive, deleting all your files, and creating a new user account with administrative access.

Similar reasoning, by the way, is used to explain why Unix users (Mac OS X, Linux, etc.) should not log in as the "root" user or operate as root continuously. When they need root-level access, they usually use the "sudo" command. Each user has a home directory that he/she can save documents to, install programs in, and maintain personal preferences. (I'm not sure if Microsoft's Vista has that sort of control that has been part of Unix since the 1970s.)

The part of this document about the administrator and administrative rights was adapted from the Knowledge Base at Indiana University's Information Technology Services. Select the "Knowledge Base" link to go to the document I started from. Microsoft has an article about why you should not run your computer as an administrator.

last update: May 1, 2008

Go to ISIT home

Document author: Nick Strobel
Math-Science 101 (Planetarium), 395-4526