Limited Local Administrator Rights on University-owned PCs
At Valparaiso University, faculty and staff were traditionally given high level permissions on their University-owned computers called "local administrator rights." This practice allowed employees the ability to install software and conduct other computing tasks. Beginning in Fall 2017, IT will no longer allow all users of University-owned computers to have local administrator rights. Past misuse of these privileges has led to IT staff regularly allocating time and energy to fixing problems resulting from the same, such as restoring corrupted or deleted files, eradicating malware from computers, etc. One security breach could cost the University dearly in lost time, revenue, and reputation. We realize this change in policy may create challenges for users who once had unrestricted administrative rights to their assigned PCs, however, the risks associated with allowing complete unlimited privileges now outweigh the benefits.
By default, all users will only have User status on their University-owned Windows PCs. IT recognizes there are some faculty and staff who need to perform tasks requiring elevated permissions. To accommodate these individuals and provide this functionality, IT will create an additional username.admin account for these individuals on a case-by-case basis with membership in the Local Administrator group on selected PCs.
To achieve this goal, we will use Group Policies to remove all existing membership in the Local Administrator group and add the following security groups:
- Local Admin account (for which only IT has the password)
- Domain Admins
- A group of IT staff with the business need to administer PCs outside of IT
- SR-Dept (Where DEPT is the Organizational Unit (OU) for the department)
- A group of departmental users with a business need for Local Admin Rights
Users who are granted the username.admin account with elevated privileges must recognize these accounts are only to be used to provide credentials for tasks requiring such elevated privileges, and are not to be used for normal tasks like internet browsing or file/print operations. The passwords of these accounts will not be linked to the AMS or any other password management services. These accounts' passwords will still expire at a regular 185-day interval, and should be managed through the native Windows password change functionality.
Determining which users will be assigned username.admin accounts with elevated privileges will be a joint function between IT staff and the department's director, chair, or other employee delegated to serve in that role, and must be based on a demonstrated business need.
Users who are not assigned accounts with elevated privileges and need software installed on their PC will need to:
- Create an ITicket and have an IT member perform the task; or
- Have a member of their department with a privileged username.admin account perform the task.
We also recognize that there may be a business need for some individuals to possess temporary Local Administrator Rights to a laptop while away from campus; for instance, to install wireless networking access software at an off-site location. In this case, a temporary username.admin account will be created with an expiration date. The individual will need to login to the laptop on campus while connected to the domain to create a cached local account on the PC for the temporary username.admin account. This account will be active with Local Administrator Rights on the laptop until the computer reconnects to the campus domain after the account's expiration date. The temporary account should be requested via an ITicket through the Help Desk well in advance of the date it is needed to allow IT staff time to complete the request.
For a list of frequently asked questions about the effects of this policy, please visit this page: FAQ - Local Admin Rights Policy