Policy: General Admin

Policy: General Admin/Root Rights

This official policy document describes behaviours required of those Morehouse employees who have Windows, Macintosh, or unix local Administrator or Root system rights (hereafter "admin access") on any managed computer at Morehouse. Typically, this refers to IT HelpDesk staff who have such power over all managed computers at Morehouse.

Questions about this or any other IT matter should be directed to the IT HelpDesk.

No Unauthorized Access. Period.

Those with admin access are absolutely forbidden from looking further into other users' data than is necessary for the troublehooting or technical support task at hand. If one must back up all of the data on someone's computer, do so in such a way as to minimize one's exposure to the content. Do not open Word files or emails unless the user invites you to do so. Do not browse over to a user's computer even to look at filenames unless that's part of a troubleshooting procedure. No peeking. Anything you happen to see that is managed by another user is confidential, whether anyone says it is or not, simply because its creator did not intentionally make it world accessible.

Passwords: Don't Ask, Don't Tell

Passwords to accounts with admin power are more important than those to normal accounts. Never under any circumstances tell anybody such a password. Also, never ask a user for his or her password, and prevent users from telling you those passwords if they try. A tech can reset any password as needed, or the tech has access to someone who can do that, so password sharing is never needed.

Logins: Don't Wander Off

A tech should know better than to leave a session logged in somewhere and not locked, no matter how insensitive that session seems. However, anybody with admin power is required never to walk away from a logged-in admin-grade session. This includes when work is being done on a remote computer by VNC, for instance: if you've logged someone's computer in as you, you must monitor it until it is locked or logged out. Run-As can lead to the same effect: don't allow a Run-As of, say, Add/Remove Programs to sit around unmonitored.

Reporting: How To

Lots of things should or must be reported to HelpDesk. Email is the correct method in all cases in which no contact method is specified. Contact info is here.

Reporting: Tell HelpDesk What's Afoot

All IT HelpDesk staff are armed with knowledge of what's mundane and what's not, and all HelpDesk work lands in a ticket of some sort. HelpDesk folks should notify helpdesk@morehouse.edu when something unusual happens. Non-HelpDesk staff with admin power must report all activities conducted as admin to HelpDesk as soon as they happen, and should "pre-report" anticipated work when doing so is reasonable. Specifics are required in all cases in which short-hand has not been established. Required information includes: the name of the computer in question, the location of that computer, the account name of the primary user, and an email or phone number at which that user can be reached for follow-up.

Reporting: I See Dead Computers

Anybody acting in a technical capacity should report to HelpDesk any computer, softwqare, or data that is out of compliance with the campus standard, that might be illegal (software piracy, etc.), or that might be offensive (porn). Those who encounter porn or stolen data should contact IT management immediately and should remove themselves from the support situation. Info on the standards can be found here, though there's more to it than that. Chat with an IT staffer if you're unsure.

Installing Software

Software installation should be done via Run-As from a normal account as much as possible. Only if that fails should a user log in with an admin-level account. All software installations by non-IT folks must be reported to HelpDesk as soon as the installer has access to email; unless webmail's down, that's "immediately". In addition to the normal reporting requirements, those doing installations must report which version of which software was installed and which options were chosen during installation (if there are some that matter, like "network" versus "local" installation). If possible, a copy of the install media or a link to the installer URL must be sent to HelpDesk, also.

Licenses: It's On You

Anybody installing software not provided via the Add/Remove Software item in the Windows Control Panel nor via the Apps folder on the Windows network assumes responsibility for all license implications associated with the installation. In other words, if you install something we're not allowed to install, it's on you. IT tries to keep an eye on this, but that's not always feasible.

Not IT: Let It Be

Users who are not part of the IT HelpDesk group who have admin power on computers should make an effort to use the IT HelpDesk for those operations that need admin power: the admin rights are meant for situations in which having the HelpDesk do its usual thing just won't suffice. Also, each non-IT user who has admin power has it for reasons which require a subset of the power available. Non-IT admin-level users must not perform operations they are not authorized to perform even if their access level gives them the ability to do so. For instance, someone who has admin power in order to install software packages A through F must not install package M and must not do a "take ownership" ritual on a protected file for a user who makes such a request. When in doubt, phone HelpDesk.

If you touch it, it's yours.

Users within or without IT who undertake an action on a computer assume primary responsibility for the consequences of that action unless the action is within a well-defined set of normal procedures. This is not to say we'll leave a user high and dry if someone tries to help, fails, and can't recover from the failure -- we'll take care of the user -- it's to say that the tech who blew it maintains responsibility for that action even if others step in and clean things up. This manifests itself differently depending on what blew up, so won't be expanded upon here. Upshot: make sure you're ready for the consequences of the special-case work you agree to perform.