How to convince a big boss that he does not need administrator privileges?

The only time I was even a tiny bit successful on this was a boss who was willing to use run as with alternate credentials if he wanted to install something. I explained that even the sysadmins logged onto systems with normal accounts most of the time and then created him his very own admin account that he was only to use when he wanted to do something special. It was actually very effective, and kept his machine from getting totally screwed up in the two years that I was at the company. This was a relatively savvy CEO who was able to understand the whole run as thing, and I'm sure he had stuff on there I wouldn't have approved, but at least it stopped him from passively screwing stuff up.


Tell them they can have the same access that domain admins get, and then give them exactly that:

  • A standard user account that's connected to their e-mail, documents, and business apps they can use for day to day work.
  • A separate account on the machine that has administrator privileges for that machine (analagous to an admin's domain admin account), but that is NOT connected to their e-mail account or any business apps that require authentication based on the current logged-on user, and doesn't have any printers set up. This account should be broken by design, such that it will not be good for day to day use.

The idea is that the privileged account should be broken enough that it's less painful to stay logged in as a standard user most of the time; the boss will only want to use the privileged account when he really needs it. Big bosses almost always rely very heavily on access to e-mail and report systems, so if you can make accessing these from the privileged account a little less convenient you're in good shape. Half the time your boss will just forget the credentials anyway.

If this still doesn't satisfy them, then go ahead and hand out a full domain admin/root account, but still do it as a separate account from their normal working account — after all, they are the boss. Make sure the account is heavily audited. At this point, what they're often really looking for anyway is just an insurance policy or hedge against a rogue admin; they need to feel like the buck stops with them if it comes to it, and as long as they have a standard user account for their day to day work there's nothing wrong with this.