|
no, our supervisor is in the same situation. Doesn't work like that.
And the mandate comes from a very high gov office. There's nothing you can do and no one you can complain to.
|
|
|
|
|
I have local admin rights.
I used to work for a company that did not give ANY of the engineers/developers, admin rights - that sucked.
|
|
|
|
|
I'm very lucky. At work I have all the necessary clearances to be granted a smart-card that gives me admin authorization to install software and such, if needed.
But 65,000 of my coworkers have no such luxury. If they want to update something or do anything that requires admin access, they have to open a service ticket and wait. A tech may come the same day to help them, if they are lucky.
|
|
|
|
|
While I have admin rights my manager has to fight for them every year. the same fight, the same argument and the same result... I get my rights approved. A monumental f***ing waste of time and effort and they have been doing this for over 10 years.
The argument BTW is that we need to support a critical windows service, the fact that the service has not been used in 6 years has not been disclosed to them.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Where I am now (and also at my previous job) you could request local admin rights and "I'm a developer" was enough justification. But now they are trying to take it away and have us request it only when we need it. The request, of course, also requires our boss' approval so that would delay the process significantly.
Certainly most developers here don't need local rights all the time, maybe only when installing third party software and such. Most stuff we write doesn't get installed locally.
But, we few developers (i.e. only me) who actually develop tools and utilities for ourselves do need to install locally whenever we make a change and having to wait even a few hours can be a significant delay.
So, when they asked me for justification of why I need local rights I sent screenshots of me trying to use gacutil without rights.
And it worked.
This week I got an email saying I'd soon have a separate local account that I can use.
I don't know how that will work out, but I envision having a shortcut that will launch a dos box running under that user.
|
|
|
|
|
This sounds like a serious case of rectocranial inversion, and the only known cure is to eliminate the individual who invoked the limit on the development team. You have to have admin rights, at least on your own machine, to do the job. And someone in your group needs admin rights to the entire network, in order to implement your solution.
Will Rogers never met me.
|
|
|
|
|
In my last job they wouldn't let developers have admin rights on their laptops, and we had to request rights every time needed them.
I pointed out that we were developing Windows desktop and services with installers and we might need to install/uninstall multiple times a day, still no go.
The only answer was to raise about 25 requests in a single day until they caved as we were inundating the requests system with support tickets.
In my new job I get full admin.
|
|
|
|
|
If all else fails, annoy them into submission.
|
|
|
|
|
I work at a large global IT consultancy company. I have almost full admin rights. There are some programs that are enforced on all computers. This is usually not the case in smaller national companies here, where u often may chose and order the computer and applications that fits you best. And there are some regulations on which applications we are allowed to install. Butt otherwise I have full admin rights. It would be quite hard to develop otherwise. But as I am a consultant, and every customer has different demands, I always develop in virtual machines where I have the windows and database versions etc. matching the customers environment. So in those I have absolutely no restrictions, since I create them myself.
I also use my computer privately at home, but of course I also work from home every now and then.
Working for a global company, I have seen that the culture and level of responsibility and trust given to the individual differs quite much from country to country, and some times from company to company. In Sweden, developers are usually given a high level of own responsibility. After all, as developers, we are the ones who have the expertise how to best solve our asignments. The IT-department cant but blocks in our way or we would yell at our bosses who would force the IT-department to remove those blocks so that we can do our job.
|
|
|
|
|
I'm lucky is this respect, i'm both the software developer and network admin so i have domain admin rights. I have given the other developers local admin rights though as i know how much of a pain a restricted user account can be when you're debugging software.
Plus, you'd think a software developer actually knows what they're doing with a computer when compared to the people in sales or accounts, or even those pesky web developers who nag for admin rights just so they can install itunes and other such crap...
Personally i know i wouldn't be able to do half of my job if i didn't have admin rights
|
|
|
|
|
Hey Suzanne,
There are a lot of workarounds for this:
1. if it won't get you in trouble and if you have a local admin account, use it to grant your user local admin accounts
2. use a shim: https://petermassa.com/?p=197[^]
3. launch a windows explorer, powershell or cmd window with runas admin and don't close that process. you can use it then without having to reenter the credentials every time.
the command line for the device manager is:
mmc devmgmt.msc
I hope it helps
Dan
|
|
|
|
|
Of course I have admin rights on my machine. I run Visual Studio .NET 2003 occasionally, which requires admin rights just to run under Win7. I'm responsible for our installers, which also require admin rights. I'm also the DSJB(*), which means I keep our source control and build servers running, so I also have admin rights on those machines.
Every time this topic has come up with our corporate IT organization, I've told them that removing my admin rights will make it impossible to do my job and bring product development to a screeching halt. That plus the fact the IT yabbos have never been able to fault any of my group's access to admin rights, makes this a non-issue. (*) Departmental Sh!t-Job Boy
Software Zen: delete this;
|
|
|
|
|
Gary Wheeler wrote: Of course I have admin rights on my machine. I run Visual Studio .NET 2003 occasionally, which requires admin rights just to run under Win7.
What breaks without admin rights? I have 2003 installed on my box to look at some legacy stuff occasionally; but have never had to run-as admin to force anything I need to work.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
In order to get VS2003 to run under Win7 and above, I have the following properties set on its shortcut:
- Run this program in compatibility mode for Windows Vista (service pack 1)
- Disable visual themes
- Disable desktop composition
- Run this program as administrator
IIRC, items #1 and #4 are required for VS2003 to find registry settings and its own files properly. Believe it or not, items #2 and #3 correct a fault in the "find in files" operation that locks up without these checked.
Even with these set, there's a bug in the debugger (oh the irony) that fails to close a handle to the solution's .PDB file. After you've run your app under the debugger once, you have to exit VS2003 and restart in order to recompile your solution.
Software Zen: delete this;
|
|
|
|
|
huh. I don't have any of those set and it works for me. Is it just the C++ mode that's screwed up; the project I run in it is 99% .net/winforms. (There's a little C++ for a 3rd party UI component, but I never touch any of it.)
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Yeah, these are all C++/MFC projects and settings. That's probably why there are differences.
I don't think the C++ compiler and linker are too affected by admin rights, although I can see where COM stuff might have issues with type library registration and accesses that required admin rights. I do know that native-mode debugging uses CPU debugging features (breakpoint/watchpoint registers and so on) that may not be used by .NET.
We have a substantial body of C++ utility code that got its start as long ago as 2000 (written using VC6), and then has been ported through VS2003, VS2008, and now VS2015. The biggest changes between each step have been correcting for new compiler diagnostics and replacing deprecated library function calls.
Software Zen: delete this;
|
|
|
|
|
Gary Wheeler wrote: I don't think the C++ compiler and linker are too affected by admin rights, although I can see where COM stuff might have issues with type library registration and accesses that required admin rights. I do know that native-mode debugging uses CPU debugging features (breakpoint/watchpoint registers and so on) that may not be used by .NET.
I think that's probably it. I know from a hostile user standpoint, full native debug rights are equivalent to full local admin rights because you're able to attach a debugger to OS processes and manipulate them to escalate your accounts rights. (OTOH in the real world there's a still a real difference in that only having native debugger rights requires subterfuge and advanced knowledge to affect system level settings instead of accidental oops anyone could do.) Managed debug rights just give you the ability to talk to the .net debugger but don't help with hacking the system.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Domain admin rights here - got my fingers in just about every pot. Things get done fast as a result but it is a lot of responsibility.
To provide perspective maybe suggest that they spend a few days using one of their big, important Excel workbooks with cell-level password protection on every cell. My guess is they would crack in a few hours
|
|
|
|
|
Easiest way to get around this to the possible satisfaction of all concerned is to have one or more VMs (Hyper-v is the dogs doodads)with full admin rights - so you can do what you want) but not connected to the office network.
Now you use your 'real' machine for office interactions and you VM for pretty much everything else, safe in the knowledge it is isolated.
PooperPig - Coming Soon
|
|
|
|
|
I have full admin rights on my development laptop, but on the server not so much. Which makes installing and deploying new apps quite annoying.
Just the other day I was asked to migrate an existing web application on to a new web server, but of course I wasn't going to be given admin rights. So of course I couldn't even open the IIS Manager. I wonder what they will say when I need to create a PFX for the SSL?
There is a point where infrastructure has to start accepting that software engineers are admins.
-Wynter
|
|
|
|
|
Suzanne,
It will be different for different companies. I have been on both sides.
My philosophy is that we pay too much for the developers time to waste it.
At one company, they would make you sign a letter saying if a threat came through your computer,
then you absorb the financial responsibility. I was there when that employee had to pay to have their computer cleaned. Luckily nothing was stolen or spread across the network.
Finally, I would consider setting up a VM you develop on, and letting it have admin rights, but limiting its network ability. Especially when working on drivers, etc.
BTW, this is what we do now. All development is done inside of VMs we control the inside of. The companies control what the VM can do. It makes it easier to use outside consultants as well. Very little setup time.
|
|
|
|
|
I work at a huge (250k employees) company - we get admin rights if/when we ask. I feel your pain. And I don't know the solution.
|
|
|
|
|
I primarily write Windows Services, so admin rights are a necessity. That said, I am rarely in the office, and usually work from home (I go into the office perhaps 5-7 days a year), so I have my own development machines, my own testing servers, Hyper-V servers for virtual clients, etc...
My home-office dev machines are MUCH more capable and better maintained than our office desktops.
Working as a developer, I can't imagine not having local admin permissions.
|
|
|
|
|
I've been fighting this battle for many years, in many jobs. I am tired of it. I have gone through the machinations of "Proving" I need it, but really, it's just ridiculous. This is a timely topic for me, as my work has once again, decided to launch yet another Developers dont need admin" campaign. I am so tired of the battle, that I am willing to just sit and let the project timeline go bust, rather than make any huge effort to make them "come over and see". The Problem is usually rooted to a Developer, website, Architect, or Network Admin... who sells them the "bill of goods", which immediately casts suspcision "So they have been fooling us all this time?". Once that hook is set, the game is done, and it breaks the whole development group down. <loop>. Do I need admin "All the time"? no, don't be silly.. but when I do need it, I need it. You want to insert (x) hours for me to get it, thats gonna add up to significant time. Also - we have 120GB SSD's, that they load 100 GB of stuff on, leaving us barely enough space for VS. Then they issue us external drives to compensate, but we also have a "NO USB Drives allowed monitor", so we have to "request" permission to "Mount the drive".
Where there's smoke, there's a Blue Screen of death.
|
|
|
|
|
Wow, that sounds like a great way to secure the box, but I do agree with you that software developers generally need more free access to their box to get their jobs done efficiently.
Since you can't change IT, to make the pain on you less, you can probably use the scheduled tasks feature to make a way to launch the device manager as that privileged user without having to go through the UAC annoyance (nor the trouble of entering the account's password). See here[^] (it also works on Win8). You can pin that task to your start menu so its convenient. That's what I've done for the occasional times I need to run VS as admin.
Think of it as a poor man's low security sudo for Window.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
|
|
|
|
|