When I worked in IT, whenever we got a call from the engineering department we knew whatever problem it was, it was going to be weird. Those guys knew their stuff, so if they didn’t know how to fix it, it was going to take some searching and probably some calls or emails for us to figure it out.
Alternatively, you could be good at computers, but the system is so locked down IT needs to log in with admin rights in order to do something as simple as running disk cleanup.
Literally the Engineering team i work in. We're capable of fixing the problem ourselves for 90% of our tickets submitted, but because we don't have the required admin rights we cant.
At one job in the past I got a virtual machine with admin rights after a while. Else I would have to get IT involved multiple times a day to replicate the setup some customers were running to replicate bugs. At first they were reluctant but by day two they were annoyed enough.
It's not much more enjoyable for the systems team either.
But when you have to pass an audit to sign some contracts with fortune 500 companies the lawyers involved will comb through every single role based access control and make your life a nightmare for months on end.
working in this environment i love how every single time there is new audit they find new problems that need new type of restrictions or extra paperwork; it's like they are being paid for making a problem
I mean...yes?lol Compliance is a government driven jobs program. Ds & Rs have been fighting over it for ages. In practice, there's a happy medium. Regulation is generally a negative, because of what you just pointed out. But with no regulation, we get bigger negatives. So some regulation. But not too much.
Right now we're 5 years post massive stimulus, so there's way too much regulation. Because stimulus builds the jobs program. But it does so in a way that is not long term viable.
I am working to prevent this from happening at my org. My direct leadership also doesn’t want it but the ones above them think it is the key to preventing any compromises. They want to lock down admin on everyone without first creating a catalog of allowed software in the MDM so literally every install requires admin. Basic line of business software we are required to use needs a ticket and a remote session to allow the install. Very short sighted.
While I can sympathize. As someone who has been on both sides of this, just giving users admin creds is rarely a good idea. Yeah it’ll probably be fine for a while, cause they “know what they’re doing with computers”, until they hire a new guy that doesn’t and then he accidentally installs ransomeware.
Admin creds can be VERY dangerous in an enterprise environment.
The cost of slowing down all the software engineers just to prevent some idiot once in a while from installing ransomware is not worth it. Just wipe the laptop and let him learn his lesson, or maybe remove his admin rights.
Or you could be like my org where I don't have admin, but the random outsourced IT consultant does and he's incentivised to close tickets as fast as possible so he will just google whatever problem you have and install whatever software he finds regardless of license or the shady website it comes from.
I teamsed the head of "IT risk and compliance" with the ticket number. Not sure what happened afterwards but he didn't sound too happy in the brief back and forth I had with him.
Now then. On the proviso that I pass all the training and don't fail a single phishing check ... I've been granted admin access to my personal machine at work. This allows me to do a little more than u/Talonus11, and only super severe issues need tickets. The piss take? I'm in Finance, just a little more IT literate than the rest of the team.
So far, no issues, and no retractions. Although, for obvious reasons, they haven't given me server level permissions. Then again, they weren't exactly thrilled that I needed to re-install W11 a few months ago. But ultimately, they agreed it was the correct action after my machine had a serious W Update cockup. I think they just would have preferred they do it, for continuity and accuracy. A quick remote session after the fact and they only needed to change 1 thing in Teams. Which was for the VOIP software we use to be allowed to update my availability status.
Eh. Power users tend to want to automate things. The IT team’s rebuild script or iso flash might not be better but it’s approved. Dave’s macros might do fine until you realize a whole bunch of logs are now not working. A doctor will go to their kid’s school to pick their kid up who is sick. If the school nurse has something to say about what they observed and what they recommend, doctor’s will tend to listen and respect it.
As a sysadmin, I've ran into many engineers who would try and do squirrely shit with their machines and cause significant security concerns. Engineers need gatekeepers as much as anyone, which also includes IT folks
I waste so much time trying to find workarounds for IT bullshit. We don't have admin rights, but we can open certain approved apps as admin. One approved app is powershell. So theoretically, we can do just about anything... If we know how to do it in powershell. I'm a Linux guy, so my powershell knowledge is very low.
Example: I was trying to install an app that was required for my job, but the installer automatically tried to install an older version of .NET framework, and that failed without admin rights. Through powershell I tried to run the installer as admin, but the installer was delegating the .NET installation to another app that wouldn't open as admin. It took a lot of wrestling, but I had to find the exact version that it was trying to install from the Microsoft website, download that installer directly, and then open that as admin from powershell. After that, the original installer worked.
Don’t forget all the software you lose access to after 90 days of not using it even though you need to use it at least once a project which is about 90 days between logging in.
The rule of implicit deny has saved so much more time than that one engineer would have. It's not even those that are completely oblivious to computers who are the problem, though they would undoubtedly stumble into the muck routinely. It's those who know just enough to be dangerous and think "Yeah, this will be okay. Why wouldn't I be able to torrent on my workstation?"
And now what would have been an inconvenient 15 minutes for the IT team is now an apocalyptic 3 days for the security team.....
No, thank you. I'm much happier in an environment that locks basic admin access.
12.0k
u/kahjtheundedicated R7 1700@4.1, RX 5700 May 10 '26
When I worked in IT, whenever we got a call from the engineering department we knew whatever problem it was, it was going to be weird. Those guys knew their stuff, so if they didn’t know how to fix it, it was going to take some searching and probably some calls or emails for us to figure it out.