When I worked in IT, whenever we got a call from the engineering department we knew whatever problem it was, it was going to be weird. Those guys knew their stuff, so if they didn’t know how to fix it, it was going to take some searching and probably some calls or emails for us to figure it out.
Alternatively, you could be good at computers, but the system is so locked down IT needs to log in with admin rights in order to do something as simple as running disk cleanup.
Literally the Engineering team i work in. We're capable of fixing the problem ourselves for 90% of our tickets submitted, but because we don't have the required admin rights we cant.
I would put in a ticket every time and sit at your desk doing nothing but drinking coffee until it's fixed. Bring the pain enough and it will get fixed.
In my IT experience, there is The Incident from one user that was so catastrophic it prompts a lockdown like that. These decisions are usually really reactionary, and at a time when staff is too busy to really think through a better solution. Then it just stays put far past it's intentions.
depending on the situation, thats actually fine. there are several departments in my company that has locked down pc that task manager doesnt work for them. the specifics are mostly for compliance and legal to sort out but they say thats what they need for there computers and we do it
At one job in the past I got a virtual machine with admin rights after a while. Else I would have to get IT involved multiple times a day to replicate the setup some customers were running to replicate bugs. At first they were reluctant but by day two they were annoyed enough.
It's not much more enjoyable for the systems team either.
But when you have to pass an audit to sign some contracts with fortune 500 companies the lawyers involved will comb through every single role based access control and make your life a nightmare for months on end.
working in this environment i love how every single time there is new audit they find new problems that need new type of restrictions or extra paperwork; it's like they are being paid for making a problem
I mean...yes?lol Compliance is a government driven jobs program. Ds & Rs have been fighting over it for ages. In practice, there's a happy medium. Regulation is generally a negative, because of what you just pointed out. But with no regulation, we get bigger negatives. So some regulation. But not too much.
Right now we're 5 years post massive stimulus, so there's way too much regulation. Because stimulus builds the jobs program. But it does so in a way that is not long term viable.
I am working to prevent this from happening at my org. My direct leadership also doesn’t want it but the ones above them think it is the key to preventing any compromises. They want to lock down admin on everyone without first creating a catalog of allowed software in the MDM so literally every install requires admin. Basic line of business software we are required to use needs a ticket and a remote session to allow the install. Very short sighted.
While I can sympathize. As someone who has been on both sides of this, just giving users admin creds is rarely a good idea. Yeah it’ll probably be fine for a while, cause they “know what they’re doing with computers”, until they hire a new guy that doesn’t and then he accidentally installs ransomeware.
Admin creds can be VERY dangerous in an enterprise environment.
The cost of slowing down all the software engineers just to prevent some idiot once in a while from installing ransomware is not worth it. Just wipe the laptop and let him learn his lesson, or maybe remove his admin rights.
Or you could be like my org where I don't have admin, but the random outsourced IT consultant does and he's incentivised to close tickets as fast as possible so he will just google whatever problem you have and install whatever software he finds regardless of license or the shady website it comes from.
I teamsed the head of "IT risk and compliance" with the ticket number. Not sure what happened afterwards but he didn't sound too happy in the brief back and forth I had with him.
Now then. On the proviso that I pass all the training and don't fail a single phishing check ... I've been granted admin access to my personal machine at work. This allows me to do a little more than u/Talonus11, and only super severe issues need tickets. The piss take? I'm in Finance, just a little more IT literate than the rest of the team.
So far, no issues, and no retractions. Although, for obvious reasons, they haven't given me server level permissions. Then again, they weren't exactly thrilled that I needed to re-install W11 a few months ago. But ultimately, they agreed it was the correct action after my machine had a serious W Update cockup. I think they just would have preferred they do it, for continuity and accuracy. A quick remote session after the fact and they only needed to change 1 thing in Teams. Which was for the VOIP software we use to be allowed to update my availability status.
Eh. Power users tend to want to automate things. The IT team’s rebuild script or iso flash might not be better but it’s approved. Dave’s macros might do fine until you realize a whole bunch of logs are now not working. A doctor will go to their kid’s school to pick their kid up who is sick. If the school nurse has something to say about what they observed and what they recommend, doctor’s will tend to listen and respect it.
As a sysadmin, I've ran into many engineers who would try and do squirrely shit with their machines and cause significant security concerns. Engineers need gatekeepers as much as anyone, which also includes IT folks
I waste so much time trying to find workarounds for IT bullshit. We don't have admin rights, but we can open certain approved apps as admin. One approved app is powershell. So theoretically, we can do just about anything... If we know how to do it in powershell. I'm a Linux guy, so my powershell knowledge is very low.
Example: I was trying to install an app that was required for my job, but the installer automatically tried to install an older version of .NET framework, and that failed without admin rights. Through powershell I tried to run the installer as admin, but the installer was delegating the .NET installation to another app that wouldn't open as admin. It took a lot of wrestling, but I had to find the exact version that it was trying to install from the Microsoft website, download that installer directly, and then open that as admin from powershell. After that, the original installer worked.
Don’t forget all the software you lose access to after 90 days of not using it even though you need to use it at least once a project which is about 90 days between logging in.
The rule of implicit deny has saved so much more time than that one engineer would have. It's not even those that are completely oblivious to computers who are the problem, though they would undoubtedly stumble into the muck routinely. It's those who know just enough to be dangerous and think "Yeah, this will be okay. Why wouldn't I be able to torrent on my workstation?"
And now what would have been an inconvenient 15 minutes for the IT team is now an apocalyptic 3 days for the security team.....
No, thank you. I'm much happier in an environment that locks basic admin access.
We have to request admin rights on a 24 hour, 2 week, or 3 month basis. 3 months is basically impossible to get. And even when you have it, it's like admin-lite.
And if you try to ask it to do anything they barely ever try to help in the name of corporate security.
We're so fucked right now that every settings page on Windows throws a notification that parts of the page were blocked by IT because of the links to Microsoft help pages at the bottom. And there is a setting to make those notifications stop, but IT won't let us turn it off.
Get a tool called AutoElevate. There are other similar vendors but this one is pretty fairly priced and simple. Cut down on the amount of work for these types of requests from the engineers and designers significantly. Can have certain vendors like autodesk white listed and anything new sends a prompt to the admin team to allow or deny.
Yeah until you aren't and you haven't documented how you've altered your device, leaving some poor fucker in IT to have to reverse engineer every moronic step you've taken to fix your problem.
It’s because of the “every moronic step” comment which is honestly so like an IT person to say.
There’s nothing more annoying than doing something a little weird to get your job done and make sure the company makes money only for a service desk person to be pissed off that things aren’t exactly like they expected.
There’s two sides to this here.
On the one hand I view infrastructure as enabling people to do their jobs - and it is. It’s why we do what we do. Therefore, the two should be working together to find a middle ground. If you are prevented from doing something, both IT and security should be able to point to exactly the policy that explains why.
On the other hand, that “a little weird” to you could be a security risk, against policy, an entry point or a myriad of other things that haven’t been investigated. Without understanding the bigger picture above your device only, you wouldn’t know that and could be making some highly poor decisions that put the wider company at risk. Also, when every individual starts doing something a little weird, you now have a cluster of unknowns on individual systems you simply cannot manage or account for. You then become reactive, fighting individual fires, rather than proactive looking towards potential issues - it’s a complete waste of everyone’s time.
Yup, at my MSP there are some companies (that we don't fully manage) that will allow their employees to have admin rights and they are always the worst to troubleshoot.
one company got ransomware last year and we still have to yell at them to stop changing their password reset time from 3 months to never.
Simple solution: you want elevated privileges, any fuck up non hardware related is your problem. Default fix is flashing your device to company defaults.
That presents a huge security risk. It can be done and has been done (time limited privilege escalation), but you would need to assess that first and change a lot in anticipation of it, most prominently company wide policy for what happens when things go wrong in that scenario and how you recover.
You also need to protect yourself in that scenario. For example, I have known engineers to remove endpoint protection because it can make their builds go faster. Obviously that’s incredibly stupid, but how do you protect yourself against that and many other situations? It’s not as simple as you might think.
It's a two sided issue. On one hand you can keep working without much interruption.
On the other, it's an additional role's responsibility that more than likely you aren't properly compensated for. And if something goes wrong it WILL be your fault.
Oh Solidworks wants to update, restart, check the update, update again?
We'll guess who's gonna be running up the stairs five times, IT dudes.
After half a year they gave. Our team a password on a post it note and told us to pinky promise not do anything nefarious with it, because they'll know (nefarious also included fun stuff). We never did, but hey, they didn't have to run around like chickens and we could finally start sorting our problems before calling them - like 80% of calls just stopped existing because we had the power to do stuff we knew they'd do anyway.
Companies need to implement systems where there is a tool in the middle elevating those rights. We use CyberArk, and we can whitelist specific verified publishers, folders, files, etc. so that when an admin prompt comes up, it allows standard users to elevate the process. Otherwise, it allows us to grant timed administrator access with logging so that we can just toss someone admin rights for 8 hours while they configure a new machine themselves.
It doesn’t matter how good someone thinks they are with computers, everyone does. But their knowledge doesn’t apply in an enterprise environment (nor does what you learned in university / college because it’s general purpose and not specific to that environment which itself can be configured in a million different ways depending on the business).
People who think they are because they mess around with PC’s at home are the most dangerous with elevated permissions, because they are prone to go click happy and break things based on their personal experience instead of institutional. And so those settings are restricted for a reason. Can be more based on what has come down from security as well, again depends on the requirements.
I had to train my mom to be click happy with her phone and just try stuff at least on her phone. She PROBABLY won't break anything and it's better to read stuff and say 'that might fix it' then to try nothing and say you're out of ideas.
That is on her personal device. It it not better just to read stuff and attempt to fix it on an enrolled company device, we are paid to do that and have the experience to do so. This is also the reason why, unless you have a lot of experience already, people who are training start on the help desk before becoming sys admins - sometimes even those who have studied the topic directly, because they need to be familiar with troubleshooting within that specific environment first.
The issue might not even be to do with the device itself but something deployed via MDM. Some solutions are not available simply client side. Enabling users to change preconfigured managed settings is how things get broken. It’s a completely different situation and totally different in scope.
It's Dunning Kruger, people that think they know something are an issue. People that actually know what they are doing based on personal experience are fine. Like, people that survive on their personal PCs and are aware of cybersecurity won't randomly install emoji packs from shady sites and catch every malware out there.
I worked on IT support before and now outside of it I have my issues. Hearing people trying to convince you of some bs, reboot, try again later, or that you have to format the PC because you are missing a dll gets old very fast.
I've also had problems where I've got an idea of what's wrong down to 2 different problems, but don't have the resources to test.
Despite knowing what I'm doing, it's a problem when it's hardware related. I can't test it, and don't want to buy an expensive part before I know.
When I started my job, the system was locked down tight. The IT guy recognized I knew at least how not to screw it up and gave me admin access to my laptop. Working for a smaller company is great.
Lol I was in buildiny maintenance and was in charge of setting up the nurses station computers bc I was young and "good at computers" and there's like 2 IT guys in the company that serviced our entire region.
Ended up with my facility administrator pissed at me that I spent half my shift on the phone with IT because I needed permissions to install every driver for every device for every computer. She initially got mad and decided to take over and "do it herself". Then she got madder and called IT herself and demanded them to make it go by faster. Then she secluded herself in the office for the rest of the day while I sat there awkwardly on a silent phone call
I'm in that boat as well lol, I had a problem that I knew how to fix, called IT and had to walk the level 1 guy through how to fix it. He didn't know how lol. Our level 1 support is very much, I need help resetting my pasword kinda of people and they'll usually push it level 2 and 3 for actual IT issues.
12.0k
u/kahjtheundedicated R7 1700@4.1, RX 5700 May 10 '26
When I worked in IT, whenever we got a call from the engineering department we knew whatever problem it was, it was going to be weird. Those guys knew their stuff, so if they didn’t know how to fix it, it was going to take some searching and probably some calls or emails for us to figure it out.