IT vs. end-users: A struggle over local admin controls

IT teams frequently have to find a balance between easing frustrated end-users and protecting the organization by restricting local admin rights
article cover

Francis Scialabba

· 3 min read

Anthony Oren has a rule at Nero Consulting, a managed service provider that offers a kind of “virtual IT department” for small- and medium-sized businesses:

You don’t get admin control of your computer.

“If you work for a company, and the company issued you this computer, then it will be locked down by IT,” said Oren, who’s Nero’s CEO. “From the most basic thing of installing a printer, to installing some application update for QuickBooks, Adobe Outlook, whatever it may be, you need to reach out to IT to get permission to do so.”

For updates, Nero clients file a request via an email ticketing system, and the support-team responds—usually within 15 minutes, said Oren.

But end-users can be frustrated with an inability to get the updates they want, when they want.

“You have that small segment of the population that is like, ‘Why are you just not letting me do certain things?’ Oren told IT Brew.

IT teams frequently have to find a balance between easing frustrated end-users and protecting the organization by restricting local admin rights that allow privileges like program installation.

Top admin

How often are industry pros seeing this installation frustration?

“Constantly,” said Paddy Harrington, senior analyst at Forrester. “It’s pretty much everywhere where IT hasn’t gone down the local-admin-rights road.”

One type of worker—a go-getter, quite literally—finds the tools they need to get the job done, regardless of policy.

Whit Andrews, VP and distinguished analyst at Gartner Research, calls these employees “mavericks.”

“Mavericks are less satisfied with what the company gave them,” said Andrews. “They’re using stuff that the company didn’t give them.”

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

While mavericks don’t automatically cause security problems, a maverick with local admin privileges could—in Top Gun terms—create security-vulnerability checks that the IT department can’t cash.

Ways to help

  • Communication: “Let the users know what the job is, and why things may take a little longer and why you can’t just have full access,” said Harrington.
  • Web applications and virtual desktops: “Companies, in general, should move more and more to applications that don’t depend on you having software on your end-user systems,” Jerald Murphy, SVP of research and consulting at Nemertes Research, told IT Brew.
  • Work with IT: “Those teams should have SLAs for when they will work with the users to get this done by, with shorter times if it’s a team-based need and the ticket is submitted by a team manager,”  Harrington added.

In April 2022, fake Windows 10 updates distributed Magniber ransomware. The attack demanded approximately $2,500 from companies— – a significantly lower number compared to the average.

If an end-user accidentally downloads malicious code from a site pretending to host the latest update, that malware could move throughout the organization, generally with the same privileges as the local admin user.

“Something runs on their computer that’s malicious in nature, such as ransomware…Once that program drops onto that computer, it’s game over,” Oren said.

Later, he added, “There’s immense pressure on IT to constantly update software because of the bad things that are out there and all these vulnerabilities and viruses.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.