Showing results for 
Search instead for 
Did you mean: 

User to Admin Elevation

JumpCloud Employee
JumpCloud Employee

We’ve been having a discussion in my circle about whether or not to give users admin permissions. In my consulting days, I was regularly asked to do that for the owners of my client companies. They wanted to be able to install their own choices of apps and updates when *they* chose to, rather than when we scheduled it. It became quite a dilemma.

Invariably, one client’s email would get hacked or they’d end up with some spyware on their computer.  But they didn't want to give up the control.

So here’s my question: Do you allow users to be admins? How do you handle it when your users need to do things that require admin access? Do you handle it differently for Macs than for PC's?


Community Manager Community Manager
Community Manager

I have many thoughts on this (more from the end user perspective), but will wait for others to chime in.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

Novitiate I

I'm a fan of a tiered approach, but it requires having a good data/access classification structure in place.

In a well thought out deployment most users shouldn't need standing admin, and with a tool like JumpCloud you can elevate the user permission while on a support call or in a time boxed window depending on your security requirements. For those users who make a strong business case for needing standing admin for their day to day operations, identify the access that would be highest risk if spyware were installed and restrict standing access to those systems for those users who have standing admin.

If the policy is well thought out and clearly documented so that users know a) they need to make a business case, not just say it is annoying to put in a ticket a couple of times a year, and b) what their responsibilities and trade offs are for taking on the responsibility of admin permissions, then many users will self identify as not really needing admin.

As with most IT requests, getting at what the user is really struggling with, rather than taking on their perceived solution can often diffuse the situation. If they don't like waiting for updates, can you make a self-service portal for updates? If there is a piece of software that they see as essential for their work but isn't installed, can you add it to the approved software list?  Admin is a blunt tool, get them the scalpel that will address their real pain point.

Novitiate III

Depending on the environment you are in it can sometimes be possible to set things up such that a program that requires admin permission to run does not need an admin account to run. For example with an active directory structure you can use security groups to assign the program to run with admin permissions. Minimizing the scope of the administrative access to that specific program, which does not allow the installation of new software, etc. We have some software that runs this way that does not require admin elevation to run since the security groups permit it to run with administrative permissions.

In our company, which is not fortune 500 level, even our C levels do not have admin accounts. We will remote into their workstation to install applications at will though. In the end the top levels have full say, even to the CTO. The most you can do in these circumstances is use soft skills to convince them away from having an admin account. If they must have one then it would be better to set them up with a second domain account that is an admin account rather than having them use their main account as an admin account.

To touch on a prior conversation that's been brought up in the community, soft skills are really the best way to enforce secure practices. In the end, though, you are really are at the decision CEO makes. In those cases its important to just minimize the risks as much as possible.