Is it normal to give 'users' administrator access to their company PC?

We currently have three levels of support for the users:

  1. Full support. The users only have basic access and a standard set of applications
  2. Limited support. We do central patching of the OS and supply applications. The user has root access.
  3. No support. We supply the user with an internet connection. The user takes responsibility for the computer, including software and patching. We monitor the network for issues, and cut off the user if there is a problem.

This way the users can choose what they want and we minimize the impact, both for IT staff and for users. We have found that the users can be trusted to choose an appropriate level of support. I have a feeling that locking down users by default is very costly in the term of productivity.


There can be business justification for an end-user to have higher privileges. Often, it will be dictated by your company culture.

The best IT policy is to default to least privileges necessary to perform a job function. If there is justification and there are not technical solutions for maintaining lesser privileges, there is then a business justification for the additional access.

Some technical companies choose to give all users local admin access. Others, only technical staff.

In my department: without justification, they don't get access. In regards to workstation local admin access: technical users usually get it. If they introduce risk to the company, it can be reassessed on an individual basis. The average non-technical employee does not. We've never had a malware incident of any significance but we run a tight ship in general.

I also answered a question earlier today, which is related to your question here. It covers some of the fundamental principles associated with access control policy and procedure.


My two cents :

1/ Admin rights are BAD. And malware is not the only reason why. Another, and often bigger issue, is that many users will add applications that you don't know how to support, or that get discontinued over time. Result ? Three or four years like this, and you end up crying because for some reason a business-critical process is handled using an app that no-one knows, or that was developed by a friend-of-the-guy-who-left-the-company, or whatever. I have a customer for instance who developed a BIG -and indeed VERY USEFUL- app using Lotus 1-2-3. A very old version. That does not run on any later OS than... Windows 98. And the guy who did this left the company. See the issue ?

2/ If SOMEONE should NOT have admin rights, it's the developers. Because if they are admins, they will not make ANY effort to write their software respecting coding guidelines. And they will end up writing apps that NEED admin rights to run. Which is bad.

I'm a system admin and I'm running WITHOUT admin rights (not even local admin of my computer). When I need them, I grab them, for the time of my admin task. That's my own life-saver. I can do mistakes... And mistakes with admin rights can be terrible.