User Permissions

[c.prettyman]

How many of you are giving your users only windows standard user permissions?

We've been doing this since we deployed 2002, I think, certainly since 2005. But with 2010 we're seeing new issues. We also switched from XP to Vista, so the folder structure and user profile setup is a little different, but not radically so.

The most common issue we're seeing is that people will periodically have their acad performance plummet. When this happens, we have learned, their system evet log will be full of error 10016, which is a DCOM error related to the windows debugger. WE're giving specific permissions to that DCOM object, which restores their CAD performance. Have any of you who give only limited permissions seeen similar issues?

We don't want to expand the permissions. The amount of mal-ware removal we have to deal with now is bad enough, but it is a very significant drop from what we used to deal with. And, the amount of software that people used to install for themselves was ridiculous. We have enough trouble convincing them that we only put software licensed to the office on office owned machines as it is.

[andrew.handley782323]

When you say 'only windows standard user permissions' do you mean on a by machine basis or via domain logon?

We found years ago each user had to be setup in the 'power user' group to get AutoCAD or any Autodesk software to work properly. This may have changed now but with a large pool of users I think we take the view, if it ain't broke...
The hierarchy of groups means the workstations are locked down and secure, while still granting power user access for Autodesk software.

More recently we have had similar issues with Adobe Creative Suite 4, which insists that every user be an admin for the menus to work correctly when using InDesign. No fix or help from Adobe and we have ended up having to dream up a hack to get round the issue.

[heath.simone]

We use standard user permissions with the C drive hidden from the users. All user data is stored on the users D drive, we have shifted the store for the users fav, doc's, music, etc... folders there also. It allows us to rebuild the machines should their be a problem very quickly without the need to backup the users data.

Certain folders that require modify/create/write access we apply those permissions to specific folders/files.

The Revit program folder is an example of this, you need to use your users modify/create permissions for them to be able to create journal files.

You should NEVER NEVER NEVER give users full access over their machine. We have had CAD users delete their windows directory as their C drive was running out of space because they didn't know they needed it.

[cadtag]

We use standard user permissions with the C drive hidden from the users. ....

You should NEVER NEVER NEVER give users full access over their machine. We have had CAD users delete their windows directory as their C drive was running out of space because they didn't know they needed it.

Wow... that is just wrong on so many levels.... Just how much training is made available for the staff on filesystems, OS, networking. And who the heck authorized hiring someone for 'computer' aided drafting who is that lacking in basic computer knowledge? That person is the first one you need to get rid of, and then the ill-informed sap.

If you treat staff as though they are partially trained monkeys, locked in a miniature sandbox, then you'll never have any employees that are worth keeping - because anyone who is will head for greener, friendlier pastures where they can be more than a monkey clicking on icons.

Quoting the sig of 'the King of Workarounds'... "The only thing more expensive than training your people and having them leave is not training them and having them stay."

[dgorsman]

The only thing more dangerous than a partially trained monkey is a human with enough knowledge to do something without knowing why its wrong. I do agree a certain minimum level of computer knowledge should be a requirement for just getting in the front door (ever had a prospect have problems using the Windows calculator?)

[heath.simone]

A little knowledge is a dangerous thing...

Most PC users do not know how or what half the stuff on their pc does. CAD users are no different with this. Yes there are users that are more capable IT wise than others, but many of them do not really understand what they are doing.

Most of the users in the current company i work for are what i would say are application smart. They are more than capable of using the software applications they are required to use, but nothing more... They can write scripts for autocad but don't know how or why they need to defrag their machines - or what it is for that matter. I know a few engineers/Caddies that are very competent on their cad application but have trouble setting out of office in outlook, using word's features like styles, etc... They have the ability to operate the machine and are very competent at their jobs, but they aren't IT staff for a reason.

As the original poster commented on:

the amount of software that people used to install for themselves was ridiculous. We have enough trouble convincing them that we only put software licensed to the office on office owned machines as it is.

If you give people access to install software you have no control over the systems. We have found games, cracked software, unlicensed software, virus, and unauthorized software all on users machines. Let alone the cost of IT spending time on the machine to resolve problems caused by the users "tweaking". We have also had cases of users installing software to get the product keys/serial keys for Adobe software, Microsoft Software, and other manufactures - this is a very big risk. Software conflicts are another - we have had open-source software conflicting with critical applications that crashed the pc on start-up, we have had service packs for some software conflict with our vpn software blocking access to the laptops network cards when the vpn software was active.

I work for a large multi-national company with over 900 Autocad users (thats not including other cad software like MX, Revit, Autopipe, Geoslope,etc), i can very confidently say only a very small percentage of those user would i allow full access to the machine. Those users that we have allowed full admin rights have a much higher support requirement than those users that have been locked down.

By hiding the C drive it's allowed us to virtually stop users saving their information into the C drive, allowing us to walk up to the machine and do a network deployment of our custom OS build without the need to spend hours backup user data before we can rebuild the machine. We can have a machine rebuilt and up and running for the user in under 2 hours. All user information as above is moved to the D drive as part of the registry and is incorporated into the custom OS build, all our software is deployed via an automated package deployment system (SCCM) so we can set at the time of deployment the required rights for the software that is being deployed.

[RobertB]

We too set up our normal users as Limited Users. No Power User rights for them. Revit is the biggest offender as far as Autodesk's software is concerned. AutoCAD has been rather good under Limited User rights for quite a while now (2006?).

[heath.simone]

Old i know but if you run a vbs to install your software you can add something like this (vista) - if you don't run a vbs you could run it as a bat or what ever to give your users the required rights.

Run "Icacls ""C:\Program Files\Autodesk Revit MEP 2010"" /grant:r ""<your domain>\domain users"":(M) /T", 1, True

This will grant the users modify rights over all folders and files in the C:\Program Files\Autodesk Revit MEP 2010 structure.

It's how we have managed to get our users working as they should (i.e. creating journal files) and maintaining the system security that we require.

[cadtag]

Give a cad user local admin to his workstation, and if the IT department is at all competent, the worst he can do is trash his workstation. That should not take that same capable, professional, IT group more than a man-hour or two to fix. cost to firm two hours non-billed IT overhead time, and two hours of lost billable time.

That same cad user can make a mistake on construction documents that could cost the company ten of thousands. (Transposing digits on FFE that ends up going throughout the plans and necessitates the adjacent road being torn up and rebuilt two feet higher has happened)

Why trust him on the expensive risks that could bankrupt the company, and treat him as an untrustworthy incompetent on the trivial?

[heath.simone]

You also have to factor in the opportunity cost of that IT personal working on that machine - what else could he be working on versus fixing a machine that a user shouldn't/didn't need to be playing around with to do his job?

If i'm spending time re-installing software onto a machine and recovering other users files on the machine because a "CAD User" has started deleting files off his machine because he was running low on virtual memory (he didn't know what it was and figured it was hard drive space) instead of working on resolving the actual issue he has - where is the benefit in giving the user the rights?

It's a documented fact in our company the more rights the user has the higher the support costs associated with that user.

Can you tell me why in day to day work you need full admin rights over a machine?

Please don't take this the wrong way, but what is your role in your company?

If your IT department is competent they should provide you with as few rights as possible to do you job. Their are tools available like the Icacls that i posted above to lock down the users from the system without impairing their ability to work without restrictions.

How about a user bringing in his own ****** hub because he wanted to run another pc at his desk, didn't realize he had plugged both ends of a spare network cable into the hub looping it and taking down the network? That impacted A LOT of users and the lost billable hours added up very very fast...