How to convince a big boss that he does not need administrator privileges?

permissions

The only time I was even a tiny bit successful on this was a boss who was willing to use run as with alternate credentials if he wanted to install something. I explained that even the sysadmins logged onto systems with normal accounts most of the time and then created him his very own admin account that he was only to use when he wanted to do something special. It was actually very effective, and kept his machine from getting totally screwed up in the two years that I was at the company. This was a relatively savvy CEO who was able to understand the whole run as thing, and I'm sure he had stuff on there I wouldn't have approved, but at least it stopped him from passively screwing stuff up.


Tell them they can have the same access that domain admins get, and then give them exactly that:

  • A standard user account that's connected to their e-mail, documents, and business apps they can use for day to day work.
  • A separate account on the machine that has administrator privileges for that machine (analagous to an admin's domain admin account), but that is NOT connected to their e-mail account or any business apps that require authentication based on the current logged-on user, and doesn't have any printers set up. This account should be broken by design, such that it will not be good for day to day use.

The idea is that the privileged account should be broken enough that it's less painful to stay logged in as a standard user most of the time; the boss will only want to use the privileged account when he really needs it. Big bosses almost always rely very heavily on access to e-mail and report systems, so if you can make accessing these from the privileged account a little less convenient you're in good shape. Half the time your boss will just forget the credentials anyway.

If this still doesn't satisfy them, then go ahead and hand out a full domain admin/root account, but still do it as a separate account from their normal working account — after all, they are the boss. Make sure the account is heavily audited. At this point, what they're often really looking for anyway is just an insurance policy or hedge against a rogue admin; they need to feel like the buck stops with them if it comes to it, and as long as they have a standard user account for their day to day work there's nothing wrong with this.

Related

How to identify who/what uses a Windows 2003 server?
How do I destroy a hard disk?
Free automatic deployment systems?
How to do traffic shaping (rate limiting) with TC per OpenVPN client
What is the canonical name for domain names with extra parts?
What resources are best for staying current about information security? [duplicate]
Gmail does not accept mail from a new server
Install windows 2012 R2 over KVM-virtualizaton
Routing between two networks on linux?
wifi randomly disconnects windows 10
Replace windows explorer as default file viewer in windows 10?
How does one playback MIDI files on Mac OS X?