As we move to Active Directory, we will also implement certain changes to the availability and use of administrative access on our computers.
By “administrative access” we mean the ability to perform certain privileged activities on the computer, including (among other things) reconfiguration, software installation, and user management.
These changes are a response to university policy, which generally reserves such access to trained IT professionals acting within the course of their assigned duties.
In the past, it was common for end-users to have administrative rights on their assigned computer. This made it easy to, for example, install new software when needed. Unfortunately, easy software installation can create various problems, such as:
- Opening a security vulnerability or weakness;
- Introducing software conflicts that may cause other issues;
- Failing to take advantage of existing software licenses for the same or similar software;
- Installing software without a proper review of the applicable license agreement (the “EULA”), which might contain terms unfavorable to the university or contrary to applicable state law;
- Creating an obligation for the college/university without proper authorization.
Beyond software installation, the growing sophistication of computer operating systems, coupled with the increasing challenge of maintaining proper cybersecurity, make it extremely difficult to keep individual computers AND the overall network secure. Minimizing the number of people who can make changes, minimizes the potential for introducing security problems AND makes sure that those who are charged with maintaining security have the best possible chance to do their jobs effectively.
However, we understand that there are some special situations where it may be necessary for end-users to have elevated privilege to meet specific needs. An obvious example is where a researcher is writing software and needs to install and uninstall for testing of new versions; but, there are certainly other situations where elevated privilege is needed.
So, with proper justification and approval, we can provide users a separate privileged account that they can use to “elevate” privilege only when needed. The privileged account is not used to log in to the computer, or for routine computer use, but is only used when a privileged activity must be performed.
See the information on Exceptions for more information about requesting and using a privileged account.