Versions Compared

Old Version 1

changes.mady.by.user Dave Sierkowski

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


At Valparaiso University, faculty and staff were traditionally given high level permissions on their University-owned

Anchor
_GoBack
_GoBack
computers called "local administrator rights." This practice allowed employees the ability to install software and conduct other computing tasks. Beginning in Fall 2017, IT will no longer allow all users of University-owned computers to have local administrator rights. Past misuse of these privileges has led to IT staff regularly allocating time and energy to fixing problems resulting from the same, such as restoring corrupted or deleted files, eradicating malware from computers, etc. One security breach could cost the University dearly in lost time, revenue, and reputation. We realize this change in policy may create challenges for users who once had unrestricted administrative rights to their assigned PCs, however, the risks associated with allowing complete unlimited privileges now outweigh the benefits.

By default, all users will only have User status on their University-owned Windows PCs. IT recognizes there are some faculty and staff who need to perform tasks requiring elevated permissions. To accommodate these individuals and provide this functionality, IT will create an additional username.admin account for these individuals on a case-by-case basis with membership in the Local Administrator group on selected PCs.
To achieve this goal, we will use Group Policies to remove all existing membership in the Local Administrator group and add the following security groups:

...

We also recognize that there may be a business need for some individuals to possess temporary Local Administrator Rights to a laptop while away from campus; for instance, to install wireless networking access software at an off-site location. In this case, a temporary username.admin account will be created with an expiration date. The individual will need to login to the laptop on campus while connected to the domain to create a cached local account on the PC for the temporary username.admin account. This account will be active with Local Administrator Rights on the laptop until the computer reconnects to the campus domain after the account's expiration date. The temporary account should be requested via an ITicket through the Help Desk well in advance of the date it is needed to allow IT staff time to complete the request.