Best of the ISP-Lists

How to Keep the Boss Out

Members of the ISP-WIN2K list discuss how to deal with a manager who demands admin level access.

[November 29, 2001]

On the ISP-WIN2K list in November, JI complained,

"I run an ISP that I built myself, but now a person in upper management with very limited skills wants me to set him up with admin rights. We have other admin contingency plans in case I drop dead tomorrow, so it isn't an issue of having a backup. How do you tell your boss that he doesn't belong in the servers?"

A number of respondents noted that you've got to do what the boss wants:

[KK warned] "Unfortunately, there really isn't much you can do: he is the boss. He gets to call the shots. However, I would definitely cover your ass: send him an email stating your position and the security and integrity issues involved, and send a copy to upper management."

[CG agreed] "If he's the boss, and he's telling you to give him access, that's what you'll need to do. Of course, you'll have to fix it if he breaks it; otherwise, he might get the admin info elsewhere and lock you right out. I know it makes no sense logically to let him in, but this may be one of those things that you just have to bite your lip on."

Others suggested doing everything possible to dissuade him:

[RH observed] "My boss has an MCSE, but I still do not give him admin rights to our servers. The way we look at it, and he agrees, is that I am ultimately responsible for anything going wrong. So it's my decision."

[BS advised] "Tell him that computers are complex systems, that people unfamiliar with the specific configuration can easily cause system failures, and that you are not comfortable with his request. Be sure to stress that it is not a personal decision. Also ask him why he wants admin access: if he has a legitimate need, find a way to solve it. Remember, you have an obligation to the company to protect its IT systems. This is not always an easy position to take, but it is the right one. If he insist, make the decision: make a stink and get fired now, or let him do it, and get fired later when he screws things up and blames you. Managers who do not understand that people have limits are poor managers."

[JR added] "You need to speak with someone in management; the CIO, CTO, or CEO. In most cases, though, start looking for another job."

Others noted that offering limited access may be the best solution:

[DD explained] "With Windows 2000, you can delegate specific admin duties to him. A good admin's duty is to only hand out the rights required for the activities that need to be performed. Ask him what it is that he anticipates performing as an admin. I suspect that there may have been some event that prompted this request: there usually is. Find out what that event was."

[RH agreed] "I would look at the reasons why he needs access, or what he needs access to, and then create a group just for him which gives him access to those things but not to everything."

[MC recommended] "Cover your backside. Create a 'request for login' form and get him to fill it in with the 'type of access' field already written in with the phrase 'administrative access,' and have an authorization area for 'direct manager's signature.' Create it so that it is very clear what's being requested. Make sure you log everything to do with this user, and deny him access to those logs."

[LI recalled] "My company was contracted on a site where one of the managers insisted on admin rights, and I had the same reservations that you are having now. What I found out was that the most important thing to this manager was just that when they booted up and logged in, the little window popped up that said they were logged on 'with administrative privileges.' One of the things that made me feel better was to put them in the Admin group, but not the Exchange Admin group. The manager didn't know the difference, and at least some things were safe from harm. Proper social manipulation can be most helpful in this instance. Tell them that you're not really worried about admin rights, because any mistakes that screw up the server can easily be traced to the computer they came from. Even arrogant people will not mess with something they can get caught for breaking. Regardless, do good backups. Just in case."

— End