How Much Admin Privileges Should You Give New Employees?

Share on email
Share on print
Share on facebook
Share on google
Share on twitter
Share on linkedin

manage-app-permissions-win10-featured

It’s the age old question—how much rope do you give the new guy (or girl)? If you give them full access to everything, they’ll be able to get the job done, but they may destroy your business. Too little, and their hands will be tied.

From small to large businesses, it’s a question many IT managers have trouble answering. In fact, we asked a bunch of IT pros for this story, and all of them gave different answers. A particularly poignant response likened giving Active Directory access to the new guy the same as “Giving your Ferrari keys to a learner driver.”

No Admin Privileges: A Quick Path to Resentment

A lot of the IT pros voiced that during their first job, they were given no access at all. Their supervisor had to come back and always give them permission, leading to frustration and, yes, resentment.

On the other hand, those who had been given the “keys to the kingdom” on day one had felt almost overwhelmed by the damage they can do, and through stumbling, learnt a lot on the journey. And once they’d had full access, it was extremely hard to move to jobs where they went to having none at all.

Full Admin Privileges: A Massive Gamble

That said, the damage that too much administration privileges can do is well documented. From the threats disgruntled employees pose to your business (especially if they have access to your backups) to accidentally formatting your servers, there’s plenty that can go wrong. In fact, many businesses underestimate the risk of internal threats compared to external ones, often at their peril.

So while your employees may be less resentful and learn faster if you give them full access, the potential for mass damage is still there, but in a different form.

Just Enough Administration: The Deceptive Goldilocks Solution

With the release of Microsoft Server 2016, you’ll hear a lot of people (including us) go on about the new ‘Just Enough’ and ‘Just In Time’ features. Put simply, these features allow you to assign select permissions to a user, and also set a time limit so these privileges expire after the job should be done.

On the surface, this sounds like a fantastic solution for everybody—you’re giving your employee enough permission to get their job done, but not enough that they can overstep their boundaries and mess up everything.

As great as these features are, they’re not a tool to be blindly applied to every business, particularly small IT companies. For example, if you’re a service provider and running a single person business, and you hire someone to do work when you’re not around, it’s nearly impossible to use a ‘Just Enough’ Administration model.

When you go home, the other person needs a lot of permissions to get things done and deal with any scenario that crops up. It’s just not feasible to set up two or three different timed permissions every day and go home.

Admin and Everyday Accounts: Limiting the Damage

Another approach many people take is giving everyone who needs it an everyday account, and another one for their Admin privileges. Then, they attach logging software to the admin account to make sure everything they do is held accountable.

While this gives you a good set of records if or when the new employee does something wrong, it runs against one obvious problem. It’s a post-mortem solution, not a preventative. If your new employee crashes servers that service an enterprise-level company, it’s only semi-helpful to be able to point fingers.

So What Is The Right Answer?

Even after examining every pro and con, we discovered that in the end, there is no right solution for every business. However, depending on the size and nature of business you’re running, there’s approaches that will work better for you.

If you’re part of or running a small company, you’re probably best giving your new employee both an admin and personal account, and giving the admin account all the privileges they’ll need to deal with any situation when you’re away. If you’re particularly worried, logging software is recommended.

(And if you’re REALLY worried, then either train your employee up more, or maybe reconsider your staff pick.)

For an enterprise level company, ‘Just Enough’ and ‘Just In Time’ Administration is highly recommended. You’re too big to have a single employee jeopardize everything by having too much permissions, and there’s probably enough employees to spread the permissions around without affecting operations too much. Having separate user and admin accounts is also recommended.

For a medium-sized company, you’re going to have to use your gut based on your business needs, and what you feel comfortable risking. Make sure when an employee leaves to always revoke their admin access and change the passwords ASAP, perhaps even a few days before they leave. They may be a little irked by this in their final days, but since they’re going out the door, the short term morale effects are probably worth avoiding a large scale IT incident.

And Protect your Backups!

No matter what size company you are, make sure whoever has access to your backups is closely logged. This is a copy of all your business data in one place, and if a disgruntled employee walks out the door with it in the form of an external drive, they could do some real damage. Accessing customer accounts, giving information to your customers, using it to change all your passwords—the avenues for damage are many.

Firstly, keep a list of everyone who has access to your backups, and make sure they’re veterans who can be trusted. Secondly, make sure those backups are encrypted—preferably with software that can do AES-256 Encryption.

If you’re running a Windows server, BackupAssist offers high level encryption at incredibly fast speeds, for both physical and virtual servers, and it’s affordable for SMBs to Enterprise businesses (Free trial here). If you’re using another sort of server, we have a guide here for what you might want to look at.

Leave a Comment

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email. Join 1,874 other subscribers