Users: "Well I could at my previous job"
Posted by FatBook-Air@reddit | sysadmin | View on Reddit | 215 comments
Does anyone occasionally have users who you have to shutdown when wanting something, and they respond "Well, I could do it at my previous job!"
It usually relates to either purchasing something we do not support or (more often) security measures. We have gotten more than a few new employees who call us "Fort Knox" disparingly because we use AppLocker or don't allow all USB devices to function.
I consider these people cancers. Sometimes they get the ear of a dumb supervisor who champions their dumb ideas, and then we end up having to defend our decisions yet again. I wish other companies would tighten up, especially on security implementations, to make this less likely to happen.
angrydeuce@reddit
This was a few years ago but I had a guy freak out hard because of our firm 2FA requirement and lack of local admin rights. Dude was just the biggest asshole in the universe about it.
While I was talking to him about it (basically explaining that he can bitch and complain all he wants, he's going to have 2FA on his shit and is not going to get local admin rights, even the CEO doesn't have local admin rights) dude, without even a shred of self awareness or irony, says "My last company got ransomwared three times while I was there and they didn't even make us do this crap!"
All I said was, "Oh, your former employer that kept getting ransomwared didn't have 2FA enforced and let everyone be a local admin? Shocking!"
This ended up going all the way up to the CEO. I'm sure he thought he was going to get his way, but he clearly didn't know that me and the CEO have been working together for almost a decade and my word carries a lot more weight than his fresh middle manager bullshit does. Three of us talked in a meeting for a few minutes, I gave him the details, and he took care of it on his end.
Dude ended up getting fired a few months later lol
SuppA-SnipA@reddit
I also had people complain to me about MFA during my Okta rollout.
One manager said to me she will not use her mobile phone for Okta Verify... i said without skipping a beat "Then i guess you can't work". lol
This was before I knew about Yubikey integrations btw. Now I would get them a Yubikey and send them on their merry way.
the_federation@reddit
When my old company switched to 2FA, one of the options was to receive texts/calls to your cell phone. One user had no issue with 2FA as a concept, but asked if the company was going to pay for the texts/calls because he had a basic phone (no authenticator app) and was on a pay per text/minute phone plan. I said that was between him and his manager, all I can do is help set him up with 2FA and if he chose not to, he wouldn't be able to sign in.
angrydeuce@reddit
We solve that very easily...if the end user is not willing to do the 2FA dance, their supervisor gets to be the keeper of their 2FA.
It's funny...once their supervisor is the one dealing with this bullshit, it resolves itself extremely quickly. Imagine that!
Also why everyone is given a company phone when they start. They're welcome to use it for personal reasons if they wish but its company property, all their 2FA is setup with that phone, their email is only on that phone, etc. "I dont want to carry two phones!" Fine, leave your personal in the car and now you're not carrying two phones.
Done and done.
andpassword@reddit
This somehow seems like a pretty bad idea.
narcissisadmin@reddit
That's a bunch of crap when MDM is a thing.
angrydeuce@reddit
Why? Nobody is telling anyone they can't have their personal phone with them, too, just if carrying two devices during work hours is a hardship for them, they don't need to carry their personal...
It's win win for everyone. We have two flavors of phone to deal with, not 100, the user experience is standardized, they have hotspot functionality so we dont have to deal with all the people with 1meg internet at home being unable to VPN in, and completely removes the need for work to ever touch one of their personal devices.
supremeicecreme@reddit
Wait… Pay for texts they’re RECEIVING?? Aren’t those free to receive?
the_federation@reddit
Not always on limited cheap plans
cosmos7@reddit
No, not on many basic or pre-paid accounts.
tech2but1@reddit
It's another "WTF US" thing.
bhambrewer@reddit
"Dude ended up getting fired a few months later lol"
Gosh, you don't say? Who could have seen that coming! Wow!
angrydeuce@reddit
Just another one of those people that think IT doesn't contribute anything worthwhile and they know better.
Same person went rogue a month or so later and decided to trial a new accounting software package without talking to anyone about it first, not even the CFO, and of course I caught his call. I was genuinely worried about the guys mental health because it is not normal for someone to be that angry, right off the bat, when I told him that I can't just install whatever bullshit on his company device he wants, that it has to be vetted, projects need to be opened up, meetings must be held.
This wasn't some mom and pop, either, this was a company with hundreds of employees spread across a dozen remote offices nationwide. The fact that he couldn't just waltz in on his own authority and move them off of Sage to whatever bullshit he saw an ad for on YouTube without talking to IT and a whole bunch of other people about it first just blew his fuckin mind. I mean, dude was personally about it, like this was just me being a dick because of our no local admin conversation a few months prior.
Cue the "IT is once again preventing me from completing my work" email to every c level in the building. Again talk to the CEO, who started the conversation with "Jesus what is this guys fuckin problem?" and lay it all out for him. "Oh, dont you worry about this, I'll handle it. Close his ticket."
That was about a month or so before I got the termination ticket, and theyre still on Sage, so I guess dudes case for whatever fly by night, totally ineffective for their usage, accounting platform he was all gung ho about, well guess that didnt sway anybody lol
bhambrewer@reddit
oof...when someone is like that off the bat, you have to wonder at their mental health, or where they are with their home life?
angrydeuce@reddit
Yeah, he was just such a dickhead right off the bat for no reason. I heard through the grapevine well after the fact that he was an asshole to everyone, like visibly shaking with rage and causing his office mates to fear for their safety.
Apparently it was one of those "Yeah, were just gonna go ahead and have the police here when we have his termination meeting just as a precaution" sort of things.
Good riddance
Binky390@reddit
How does someone like that get hired? It seems like they can’t hide the crazy if they get that mad but I guess they can?
rskurat@reddit
lots of times they were recommended by some director or officer, their cousin's brother-in-law or something, and HR treats it like an order
-Generaloberst-@reddit
Don't know that guy, but it seems perfectly possible when such a crazy person is so confident of himself that he thinks he'll get his way. Maybe in a former position he could. That and at first everybody does it's very best to please the company.
I can also imagine that if you could do whatever you wanted for years and later on getting restricted with everything, it's frustrating as fuck. Not everyone can deal with that. The other way around can be an issue too as it can be overwhelming.
This is not different then splitting with your insane former partner, at the beginning he/she was probably great, it's only after a while you get to know them and showing their true self.
I've seen good-at-first people turning out to be complete assholes and also people who didn't make a good start turning out to be competent good people.
angrydeuce@reddit
Dude, I have no clue. I mean we're all used to the fact that nobody's computer competency is verified like, at all, despite the fact that 100% of the business, every single facet of it, even down to the janitorial staff, relies on computer usage to some degree. That's insane itself in this year of our Lord 2025, but for someone like that, all I can guess is that he was medicated out the ass during all his interviews and once he had the job decided to stop taking them for some reason.
I never once had an interaction with him that wasn't immediately hostile from the minute I answered the phone. Like he was clearly pissed off that he even had to make the call and ask someone for something in the first place and couldn't just sidestep everybody (including his superiors!) and do whatever the fuck he wanted. I remember in one conversation I straight up asked him why he was getting so hostile with me over something so innocuous and he just went on another rant about how we were all negatively impacting his performance and he was sick of us "putting up roadblocks whenever he tried to do something to improve efficiency".
This wasn't some young AlphaBro Startup guy, either. We get those, too, no less annoying, but at least it's somewhat understandable as they've literally just waded into their career and don't know how the real world works yet. This was a firmly middle-aged middle manager that frankly had no excuse, as his shit wouldn't have flown anywhere that I've ever been.
It was so memorable that to this day, years later, people sometimes joke with me that they've got $DUDE on the phone looking for me. People that weren't even working there yet make these jokes because his legend has lived on far longer than his actual employment there did lol
Shazam1269@reddit
Only child syndrome? He must have been allowed to have his way at previous employers. Glad to see he got his comeuppance.
cosine83@reddit
They probably think they have to be that way to be an effective manager by "showing people who's boss" and taking initiative or something. It just shows how insecure they are and a lack of productivity on their part because they'll spend time blaming things on others. I had a manager once upon a time who started months after I did who wanted to flex by taking me off my work assignments to wrap cables. He then proceeded to yell at me in the parking lot for ignoring his bullshit to do my actual job. IT Director didn't like it but took his side and I got fired, though. Glad I'm not with that company anymore (Shift4), absolute draconian and insanely abusive management even outside of that instance.
WRX_manning@reddit
Going rogue on accounting software is bold AF. I can understand a project manager running wild with Monday.com or Smartsheet. Not that it’s couth but people are good at filling gaps in their workflow and these tools make it easy to sign up with your company email and install their desktop client in AppData. But GOD DAMN who thinks “Fuck ‘em, Im gonna implant a new ERP.”
tru_power22@reddit
300? or bigger than that.
Either way that's going to be a BIG effing change lol.
angrydeuce@reddit
Some flavor of 300, and yeah, I could tell as soon as I navigated to the web page it was some consumer grade cloud based bullshit that absolutely will not work for them.
I was just humoring him anyway because, as I told him, these types of shifts at this scale are contracted out and have teams of people working on it for weeks if not months, representatives from both vendors involved. His response to that was "Oh, I'll take care of all of that".
Dude couldn't even figure out how to connect to the VPN without being shown like 5 times and he's going to convert all their Sage 300 data? Riiiiiiiight....
Oh the shit we deal with sometimes lmao
FALSE_PROTAGONIST@reddit
Haha I’m glad to see how you responded all the way through this, reminds me of myself. I am always polite but firm and professional. It always helps if you have a policy to refer to. So nice you had the backing of the CEO
angrydeuce@reddit
Yeah one nice thing about IT is that eventually everyone, from the person just answering the phone, to the guy running the whole show, has to interact with us in some fashion, so we tend to build relationships that don't stay limited to our little corner of the company. I mean, I've been out to most of the C-Suites houses, and had dinner with them and their families more than once. No way for him to know that, of course, but most people aren't going to just come in and start swinging their dick around without getting at least the lay of the land and figuring out how the office politics tend to work.
Not that guy though. He was determined to come swinging in on a wrecking ball like Miley Cyrus and figured everyone else would just get the hell out of his way or he'd flatten them. Bad call, Ripley!
FALSE_PROTAGONIST@reddit
Game over man!
narcissisadmin@reddit
In all fairness, there is a huge difference between users having local admin on their own device and users having local admin everywhere.
tallanvor@reddit
Yep. My main account has local admin on my primary machine, but domain policies still ensure all the required security stuff is installed.
I do not, however, have admin on the machine I have to use to access production systems. That's locked down so hard it can be frustrating, but I do understand the need for it.
angrydeuce@reddit
Some people do get local admin, under a secondary account, never their daily driver. The only impact to the end user is instead of just clicking "yes" to a prompt, they have to enter a second set of credentials and then click yes. It's a very minor thing that comes up very rarely and by itself eliminates a lot of nonsense. Not only by preventing the majority of things from leapfrogging off of their local machine (because it can't) but also because if they're doing something that they never received a prompt for before, and are suddenly getting an elevation prompt, they can stop and get us involved so we can see what precisely it is that is that it wants to do and supervise.
I cannot even tell you how many times that alone has prevented a lot of heartache.
But there is no reason why someone should ever be full timing under an admin account. You don't need admin rights for 99% of computing tasks. And I practice what I preach, even at home. Having to remember two sets of credentials is not a big deal, our heads are full of logins already, and it's not like they can't just pick up the phone if they can't handle it, we're always there to remote in and help them. I mean christ, i couldn't even count how many different admin accounts I'm juggling on a given day, it's got to be in the high double digits. Even with password management solutions Im probably staring at a login prompt about 10% of my work day due to role isolation. It's not a big deal lol
Gadgetman_1@reddit
Way back when my IT department wanted to force a password-locked inactivity screen, my boss went to the Director(head of the entire organisation) and asked if it was OK to push a 15minute lock on most users...
The Director insisted that it be 10 minutes, and that he wasn't excempt.
Being able to ask a whiner 'if even the Director himself isn't excempt, why should you be?'
Can't put a price tag on that.
Loved that guy!
Shazam1269@reddit
LOL, I had an only child demand his PC be exempted from the 15 minute lock policy. He wanted his set at 2 hours. That was an easy no.
metalblessing@reddit
Sounds like a great director. When we rolled out security training with PII-Protect our CEO made is except all doctors and executives from the training because they "dont have time for that", despite my pleas and advice that they are the biggest targets.
Tx_Drewdad@reddit
"Can you say that again, but slower?"
Shazam1269@reddit
LOL, right? Thanks for reinforcing my commitment to security, dipshit. You even took the time to provide talking points.
Signal_Till_933@reddit
The complete lack of self awareness with the ransomware thing though. I wonder how some people remember to breathe.
Smelltastic@reddit
lol, this reminds me of the lady who defended the sticky note password on her laptop by telling me that she also keeps her PIN in her wallet with her debit card.
like, so you're doubly stupid then? I do not understand this defense
Binky390@reddit
I work at a small private school that’s all Google Apps. A lot of the coaches have full time jobs elsewhere but coach part time at my job. When their employment is done processing, we sent their login info which of course gives access to all of Google Workspace then Athletics starts sharing whatever through Google Drive.
This one coach would not log into his email. I kept sending password resets as requested and told the admin in Athletics that he’s receiving them, just not doing what he’s told.
One evening I got a nasty email from him claiming his password for email had been set up but not Google Drive (which of course makes no sense). He had just logged in after about 6 weeks and then said in the email that he couldn’t reset his own password and was told to contact the administrator (default Google message). Then said there was no info for how to do that and if I’m the admin, I should make the page more clear.
I emailed him back and CC’d the director of athletics and the admin and told him one password was used for all services and he hadn’t logged into any of them and the page he was seeing was Google’s default page for that which we couldn’t change. Then I gave him all the contact info for how to reach IT, the school’s main line and said if he couldn’t reach us, Athletics could.
Athletics called to apologize for his behavior and told me they talked to him and told him they don’t treat IT like that. One of the most satisfying things to ever happen in my career.
WorldlinessUsual4528@reddit
Oh yes, we get many of these. Usually it's "My old company let me download whatever I wanted/needed, I don't know why you guys don't let us do anything."
HughJohns0n@reddit
"That's nice, but you don't work there anymore."
Efficient_Will5192@reddit
Was that a failing of their IT department? Or a failing of their management?
RhymenoserousRex@reddit
Yes
metalblessing@reddit
All the time. Most recently a week or two ago. Got a user setup with VPN and provided her a computer to work from home. We have them connect to VPN then RDP into a virtual machine. When in the office they RDP to that same VM. The large hospital she worked at previously had a full VDI Horizon infrastructure while we do not.
She asked me "when are we going to have this setup so that I logon to the same exact desktop no matter where I login from like at my old job?" Told her we dont have the infrastructure for that so probably never (we not a large hospital, but a clinic) Same user also prefixes every question to me with "my husband is an IT Director and..."
RhymenoserousRex@reddit
"Great have him cut us a budget we'll wait on the check."
FatBook-Air@reddit (OP)
I love how they start with the idea that you just don't know how to do stuff. Like that is the only thing standing between you and greatness.
If you're not a F500 company and don't have F500 money, you may not be able to operate exactly like a F500 company. Shocker.
agarr1@reddit
I caught someone out who tried the "my husband works in IT" line. Got her to get him on the phone and it turned out that being a web designer didn't make him an expert in network management. Who could have guessed?
PositiveBubbles@reddit
🤣 i love those
Arcieus@reddit
One of our more recent customers has been complaining because prior to us updating their infrastructure they can no longer merge PDFs using the pirated software they were using before. We told them we can't be responsible for pirated software and won't be reinstalling it so they pitched a fit about having to pay for a PDF Editor.
AbandonFacebook@reddit
“At my previous job they compensated sales based on totals, not margins.”
Sunshine_onmy_window@reddit
does anyone NOT have these type of users?
Illustrious-Count481@reddit
Yeah. It doesn't say "Your Last Company" on the door. STFU.
Is generally my response.
GaijinTanuki@reddit
Facilitating colleagues to best achieve the organization's goals within the organization's resources IS THE JOB.
If you see your colleagues as 'cancers' you should probably resign and find something else to do.
(TBQH after a couple decades in these trenches, referring to your colleagues disparagingly as users is usually a red flag)
FatBook-Air@reddit (OP)
Piss off
Head_Helicopter_8243@reddit
This isn’t Burger King, you can’t have it your way here.
equinox6k@reddit
I had people complaining about our chrome extension restrictions and their ability to install "whatever they wanted". I usually just answer: "That's great, we don't do that here. We care about security of our patients."
aXeSwY@reddit
We provide a Device as a service, for multiple companies. and we also provide the solution for using and monitoring as well hands-on support.
we either fully manage or allow their admins to manage it.
good luck explaining to the users how we won't be allowing USB storage or any unauthorized access to anything regardless of how silly it may look for you. "When we used the (previous brand) we didn't need to do this....we never had an issue....I don't want to swap my badge before I am able to access my print jobs.... I don't want to use this or that software....."
we explain why with a generic response but for the "i'm almost an administrator" users we refer them to their COO, most if not all of them don't want to carry that conversation with them....so issue solved
Zolty@reddit
This is why security and compliance controls need to come from policy. It doesn't come because some sysadmin or IT manager thinks a control is good. When it comes from policy then you just point to the c level that approved the policy and have them take it up with that person, or go through a workflow to get an exception to the policy of the business is willing to accept the risk of the policy deviation.
niomosy@reddit
Hah. As if any C level here would bother with that. That's what their underlings and their underlings' underlings are for. That and the enterprise architecture team and architecture review board.
At most, a C-level is going to dictate what new item is now mandatory in the policy and those below them scramble to document, then implement.
Floresian-Rimor@reddit
Document and then implement? Which heavenly plane are you working on?
Scribble some notes, implement it and then 5 years later after everyone has left, the new IT bod gets to work it all out and try to write the documentation while putting out the fire.
niomosy@reddit
For regulatory reasons, we need to document. Then implement. Then show proof of said implementation. Now WHAT we implemented has a fair chance of being shit but we'll get it implemented.
FatBook-Air@reddit (OP)
Ours are board-approved policies. That does not mean for a second they can't be challenged.
Zolty@reddit
Challenged needs a procedure which has a clear approval process to result in a change or exception.
tonyangtigre@reddit
But then the board accepts the risk. The risk should be spelled out plainly, see what cyber insurance feels about it, and see who’s willing to sign the papers to accept risk.
FatBook-Air@reddit (OP)
Oh, sweet summer child.
KN4SKY@reddit
I learned this during my time in college. Any policy or control has to have buy-in from upper management to be effective.
Active_Flatworm1359@reddit
We don't allow any USB storage devices not approved by the company, Gmail, and a whole host of other online shit. We also use whitelisting so if it's not in the list it doesn't execute. That's only the first layer of security too, we have Palo XDR analyzing all approved apps to make sure they're not doing anything funky.
Users don't seem too bothered by it but I'm on security now and don't really interface with users anymore in my role as well. Restricting all that crap has removed 90% of random viruses. I don't understand why other companies don't take this stance. The biggest threat we have at this point is phishing because getting users to stop clicking on shit and entering creds is damn near impossible.
Angelworks42@reddit
Usually when I hear this I say yeah I'll look into changing that.
I'll even bring it up but chances are it's not changing.
sadisticamichaels@reddit
I have done a lot of M&A work and dealing with people who used to work from their CEO's garage but now work for a publicly traded company are exhausting.
"Our CEO told us we don't have to do that." "Well, your CEO is in the Bahamas enjoying his 8 figure check and the securities and exchange commission is quite adamant that you do have to do that."
DiligentlySpent@reddit
"What happened to your previous job?"
FatBook-Air@reddit (OP)
"Your previous job sounds like a dream. You should go back."
IamHydrogenMike@reddit
Sounds like my kid when they say their friend’s parents let them do something…I’m not their parents and I am your parent.
Snowlandnts@reddit
Your kid want to be adopted?
HotTakes4HotCakes@reddit
Nothing.
Is the implication it burned down or something because they didn't allow usbs?
Serenity_557@reddit
I think the implication is "why did you leave, if it was so great?" But yeah it's not a great rebuttal.
Snowlandnts@reddit
They can go back to their previous job.
kagato87@reddit
"OK. And? Who was your old job again? Maybe I can sell them some hardening services on the side."
ITLevel01@reddit
“I didn’t know the whore house had an IT department?”
Im_Caster@reddit
Hahahahahahahahaha holy shit that would be a hilarious response!
tech2but1@reddit
I do webhosting and get this a lot. Particularly with the "what do you mean we need to build a website, you just click a button and it does it itself".
StinkyBanjo@reddit
Well. At my friends previous job his coworker used to jack off while watching porn. The boss knew too and didnt care. You know, religious people, some christian/catholic offshoot.
Id use that example.
OkMulberry5012@reddit
User: I cOuLd At mY LaSt JoB.
Me: OHHHH, why didn't you say so in the first place? Well let me give them a call so I can mirror your permissions here. In the company where you are the new staff. And no one has any legitimate reason to trust you.
fixITman1911@reddit
More like "oh, why don't I give them a call and see if they'll take you back"
OkMulberry5012@reddit
I'd be willing to wager their old job let them leave for a VERY good reason and aren't interested in allowing them to return.
PositiveBubbles@reddit
My thoughts exactly
Hjarg@reddit
You're lucky it's just the enduser. I have a fellow sysadmin who is exactly the same.
PositiveBubbles@reddit
Mine was a desktop guy who came from another similar organisation, and I only list found out that one had Russians hacking into the VDI environment, lol
iammiscreant@reddit
I’ve had an exec tell me they NEED D365 admin access as they had it at their old work.
I tried to explain to them that what they think admin access is is not what they think it is.
I got overruled and, well, it ended up about as badly as you might suspect.
Apachez@reddit
Then just reply something like:
Also educate new employees about current policies and why they look the way they look. And also who they could contact if they would request for an improvement or a change of current policies.
Another thing to educate new employees that they are using company equipment - they can do whatever they want with their own equipment but when it comes to company equipment its the rules of the company who matters no matter if you like or dislike them.
Hostificus@reddit
Stale SOP is what causes turnover. Apathy and not trying to find a compromise to make the employee job a little easier causes turnover.
Apachez@reddit
On the other hand at many workplaces and positions there is no room to compromise since there are best common practices or laws and regulations to comply with.
Im guessing you wouldnt accept if a nuclear facility would "compromise to make the employee job a little easier" with safety just because one or two employees are too lazy to use the glovebox or such?
hkusp45css@reddit
All security is compromise. ALL security controls are just the agreed upon way we, as global market, say "we're doing this because the RISK is making us, and we're only going to put in enough to keep risk to a level we can stomach."
I think you *may* misunderstand the point of security.
It's not supposed to be the final stand of us against them. Security is supposed to protect the environment exactly enough to remain operable and profitable. It is not supposed to be some Byzantine labyrinth of controls for your users to claw through to find the cover letter for their TPS reports.
Apachez@reddit
I doubt I would misunderstand the point of security - but I do know from experience that many endusers/employees misunderstand or just dont care or dont give a shit.
So again I doubt you wouldnt accept to "compromise to make the employee job a little easier" when it comes to a nuclear facility for example?
Since there is a purpose of why a glovebox is being used for example.
hkusp45css@reddit
Don't rely on analogy. That isn't this. We're talking about this. If you want to talk about that, start your own topic.
woodsbw@reddit
Did you read their comment? This argue goes out the window when it becomes a legal or regulatory requirement.
Hostificus@reddit
But Security isn’t a one size fit all approach. That’s why we have different levels of certification and compliances. I would not expect a hospital to have the same certification as a car dealership. I would not expect them to run the same hardware or cyber security posture. I would not expect them to have the same risk tolerance or profile.
My comment was about companies that run extremely tight policies out of laziness. For example, my company could very easily set up a VLAN & BSSID for employees and guests personal devices. I use a LG G4 TV as my monitor in my office and some aspects of it doesn’t work if not connected to outside internet. The techs in the shop all have Sonos speakers on their toolboxes. There’s probably 40 clients in the building, it’s not like it would be a useless action. But IT said no. So we all use our work issued phones as hotspots so all our smart devices work. I giggled when I walked through with my WiFiman Wizard.
Apachez@reddit
And which is why one company policy doesnt mean that the next company would have the same policy.
And the employee must be educated about this fact in case they didnt already figure this out.
FatBook-Air@reddit (OP)
This.
hkusp45css@reddit
I think a lot of techs misunderstand how frustrating computer problems at work are for the regular masses. If your security, processes or policy are getting in the way of the productivity of your employees, they'll go somewhere less stressful.
Fixing it serves everyone's goals.
Hostificus@reddit
I’m engaging in shadow IT at this very moment because it takes my work day from 15 hours to 8 hours. I’m so efficient I got a raise over it.
I’m definitely fired if they find out what I’m doing. Oh well, that what lazy IT policy get you.
hkusp45css@reddit
It may shock you to discover that IT policies are pretty rarely written by IT people.
Cherveny2@reddit
redirect.
what exactly job function are you unable to complete without the requested X.
We have Y, Y does A, B, and C which is what X does, so how does using Y inpeed your job functions?
And any pushback, keep referring to exact job function, and how they don't need whatever to do their job.
probably the biggest is "i need admin access!" without explicit proof that you can't do your job without it, no, you do not
anotheremma456@reddit
Exactly this and I’ll usually pull the “i know it suck’s i hate it too i’m just a fellow employee doing my job” card.
Like if the user harps on, i keep working on technically adding whatever policy that is compliant to get their use case completed while “yeah, i get that, some companies do that” and then go can you try doing x again and when it works they are surprisepotato and I go feel free to let me know if you have other issues executing x.(This is important to hammer down that you wanted to do x you can do it now. How we make it happen ain’t your concern) You wanted local admin to install, we have a PAM (that I add a policy too) and now you can install it tada! Local admin is irrelevant.
In the off chance that i cannot technically make it happen, i go i know this sucks what can we do! DAMN the compliance team. Here you go you can talk to
Moontoya@reddit
"well your previous job was leaving you at personal risk of criminal charges and hefty fines doing that. We believe in protecting our equipment and our users here"
Technically the truth , especially if GDPR data handling is involved (and almost everything it related falls under data protection)
Sasataf12@reddit
To be fair, it's not just "regular" users. I've dealt with LOTS of tech professionals who pull the same stunt.
angrydeuce@reddit
Anyone that has a justifiable use case for needing local admin creds is already given those permissions in a structured way based on their role. They are provided a secondary local admin account unique to their department, and definitely not ever their daily driver account.
I get it, like we have guys in the CAD dept that need to update tools and plugins and shit all the time and they dont want to wait on IT to throw credentials in. They get the secondary local admin with our blessing and the understanding that if they come up against anything even mildly out of the norm, to stop immediately and contact us before proceeding.
But when Joe Blow receptionist comes on and claims they need local admin rights...lolNO. There is literally nothing in their job role that would necessitate them having local admin. I know this because I setup and maintain the permissions these roles are assigned in collaboration with senior leadership.
I'm not ever a dick about it, I worked in customer service for a lot of years and know how to talk to people and deescalate. But the people that want to be an asshole to me about it and try to be all "alpha" on the phone...well, they can yell and scream as much as they want, im not going to put my own ass on the line because they dont like having to ask permission for something outside of their job scope.
narcissisadmin@reddit
Why? If they're only LA on their own machine then they can only fuck up their own machine.
Sasataf12@reddit
I'm not sure why you replied to me with that very specific scenario.
But, while local admin is a valid request from tech staff, there are a lot of other requests that aren't.
"At my last job, that type of change didn't need to go through change control."
"At my last job, I had global admin access."
"At my last job, we didn't do code reviews."
Etc, etc, etc.
AussieHyena@reddit
I wish that was how it worked. Currently going through a situation where we were all given new laptops with new security controls. The developers need to install Visual Studio, Visual Studio requires admin escalation due to the security profile, developers are not allowed to have their elevated accounts as local admin.
They're having fun hammering the Service Desk with tickets though.
christurnbull@reddit
"then go back to your old job l"
br01t@reddit
If they tell me this for the third time, my answer is always: you can also return to you previous job if you feel better there
-Generaloberst-@reddit
Admins: Well, it was at your PREVIOUS job.... lol
With security we do explain why it's important, in my experience most end users make up horror scenario's in their mind that's not realistic.
Like MFA for instance, some are scared to death that they have to enter their MFA code into Outlook each time. Or paranoid people who think the company can read everything on their personal phone because they have to use an Authenticator. After explaining that it's not doing anything else then just generating a code, most are calmed down. Aside from that ONE guy who always has to do difficult lol.
Security is never user friendly, so it's always finding a good balance between that and usability.
trev2234@reddit
I’ve heard that loads of times. I work in healthcare and junior doctors move around constantly, so they’ll have something they can’t do here, that they could do there. I simply say that isn’t possible here, and I don’t make the decisions. If they want to complain then they need to go higher, and to leave me out of it.
I see no point arguing with them.
bukkithedd@reddit
People like that aren't worth the effort it takes to discuss things with, to be honest.
My procedure with them is simple: "We do things differently here. The security-measures are there for a reason." And then I walk away.
I've got users complaining about having to 2FA into the D365 Finance & Operations-solution we use every morning. They get kinda grumpy when I rather unequivocally say that "Yep, I know. It sucks. You won't get any compassion from me, however, I have to 2FA into various solutions 15-20 times per day due to various management-consoles being locked down. It's just the way it is, deal with it".
And yeah, it's a bit of a lie, but meh, I've long since stopped caring.
We've had people that go to my manager, who's even more brutal than me. People have tried going to the CEO, who just asks what IT says about it. Shit usually stops at that point.
mats_o42@reddit
Sometimes it's nice to have customers in a regulated/audited sector.
"Oh, you don't want 2FA, it's so big savings in username/passwords and no lock policy?"
"Well please go tell the parliament so that they may change the law, until that is done the non compliance fines will end your CEO:s employment"
End of discussion
actually HW based 2FA (smartcard/Yubikey) can save costs. In some cases the cost for the token is about the same as the cost for a support ticket. So compared to passwords the first pw reset ticket pays for the investment, the second is "profit". If you start adding single sign on on top it can get even better
Bogus1989@reddit
believe it or not, a company merger was the best thing that ever happened to my org, prior to the merge, there was really no Captain of the IT ship....and the i was glad to have more of a takeover from the other side VS an actual merger. I remember meeting someone from national IT for the first time. Our bosses new boss, his position about 3 down from the CTO. Pretty much the first day of his stay was him saying "WHAT? you guys do are maintaining that? What? I cant believe you guys do this here?" to then halfway thru the week "you no longer will being doing X, or Y, and heres the policy if anyone asks, tell them they can email me if they have an issue"
our entire team by the end of that week:
"WTF WE HAVE RIGHTS?"
AMAZING.
ms4720@reddit
It is nice when the merger tooth fairy zaps you with her wand
catherder9000@reddit
I have one younger guy, in his early 20's that constantly tries to push the limits in all the small things. He's the sort who states out loud to other co-workers that, "All these stupid admin permissions, I just need to do my job."
No, your job isn't installing software, it's not adding people to photocopiers and scanners with email credentials, etc. You're a fucking salesman.
dean771@reddit
No point engaging in these people
"I dont write the rules"
Atrium-Complex@reddit
We firmed up on no more shared/generic accounts for floor use and enforced MFA for all logins (also why we went away from shared accounts).
Had a manager actually ask me if IT has "gotten so dumb that you just can't create basic accounts anymore!?"
nhpcguy@reddit
Well we used to use wale oil for light, but we have moved onto Better things
eulynn34@reddit
Lol “well this isn’t X company”
thealsomepanda@reddit
Luckily I work for a hospital system and the moment anyone gives me grief about our policies all I have to do is mention patient info and they go "yeah fair enough". Gives me a really good way to just shut down the conversation lol
Bogus1989@reddit
"well go back to your previous job then"
nighthawke75@reddit
That was then, this is now.
vermyx@reddit
You're taking the wrong approach imho. When things like this have come up my response has been "we do x due to y policy/insurance reason. I am willing to entertain a change that covers the same requirements and doesn't drastically change the cost". That will either a) shut them up (usual case - no one wants more work) or b) cause them to try and bring this up as a management item where usually cybersecurity insurance will come up and end the discussion and im the cases where it won't should come to IT's desk as q request where you can usually come back and state what you have covers it. Defending your decision makes it look like you made the wrong decision or that there's something to hide.
In general when people say "I used to be able to do this at my previous job" I tell them "my previous corporate job was medical IT. I can lock it down further if you would like." This usually shuts down those conversations. Again it's not about why IT chose XYZ process.
Jake2099@reddit
I find it far more annoying when it's IT folks saying stuff like this or more likely "this is how we did it at my old job". Yeah, different environment, get used to it.
LordGamer091@reddit
I work law enforcement IT so I blame CJIS every single time, even if it’s not a result of it. They don’t even question it. Although I feel very lucky with the users here, very understanding 99% of the time.
Tmoncmm@reddit
My Brother! I blame CJIS too for stuff. I also use it to get them to spend money on needed upgrades.
lovingthecrewe@reddit
THATS TOO DAMN BAD!!
token40k@reddit
“Escalate to your manager so he talks to my manager and requests this feature, it is not part of our desktop policy at a moment “
Always make it manager issue, don’t get worked up over dumb shit
Hostificus@reddit
Hello, it’s me, Cancer.
IT policy is usually created from efficiently secure standpoint. I.E. “how cheap can we do this securely?”. The problem is your policy will arbitrarily raise walls or keep walls up to make your life easier, at the strain of the employee.
Case in point: I EDC Apple devices and have done so for 15 years. I’m a field engineer and constantly taking pictures of problems and creating tickets and uploading to out web ticketing system. This system requires VPN access. They give me a 7th gen i5 laptop to do this. I asked for a M4 iPad Pro (that I know can run the VPN client and pass ALL security audits and I already have CapEx approval for) and they said “no we can’t onboard that to domain”. So now to make a ticket I have to take the pictures on my phone, insert a type-c, transfer to the USB, wait for my laptop to spool up, connect to LTE, launch VPN, 2FA into VPN, log into the ticketing system, plug in the USB and wait for TL to sniff it, upload the photo to the ticket. With the iPad on LTE, I literally could already be inside the VPN, open the ticket and take the photo there as I’m building it.
But they’re too lazy and that would make my job too efficient. Ehh, I get paid hourly.
hkusp45css@reddit
Adding support for an entire OS ecosystem so you can continue to use your iPhone isn't a hardship the company is foisting upon you.
If it makes you feel any better, we wouldn't have entertained your request at any of the enterprise environments I've worked in, either.
That said, I definitely would have suggested a better workflow, and I probably would have dumped some man-hours into developing a solution for your problem.
Only because if it's friction for you, it's probably friction for others.
Hostificus@reddit
Marketing uses Macs and iPads. I don’t buy the excuse.
Instead now they have techs emailing photos to themselves to get inside the VPN to add photos to the work order. Some are not even adding photos at all now, which causes lapse in SOP on the service side and make it hard to maintain documentation. It’s to the point we’re seeing measurable turnover since they changed to the new ticketing system.
hkusp45css@reddit
Maybe they just don't like you, personally.
It's just a guess based on the available evidence.
Hostificus@reddit
Because I care about being efficient in my position?
hkusp45css@reddit
No, that's probably not the reason.
Hostificus@reddit
Well I’m gonna do my thing. Too much revenue is on the line for them to be fuckoffs.
Fast-Mathematician-1@reddit
First off. I see you, I hear you.
But we should, of course, review the control mechanisms we use and reassure the managers of the value of those risk management strategies.
The alternative to them understanding is a whiplash of change that can't be mitigated, and we have to do it anyway.
All I say is listen to the users accept there feedback, and try to address it constructively, even from the "what about users."
Fast-Mathematician-1@reddit
First off. I see you, I hear you.
But we should, of course, review the control mechanisms we use and reassure the managers of the value of those risk management strategies.
The alternative to them understanding is a whiplash of change that can't be mitigated, and we have to do it anyway.
All I say is listen to the users accept there feedback, and try to address it constructively, even from the "what about users."
dannyb2525@reddit
I remember a guy saying he used to work in a nuclear silo and it was less security than this and I was like either you're completely full of it or that's very concerning lmao but wanting MFA is really not that big of a deal my guy
Recent_Ad2667@reddit
"You're on a different planet now, Bob."
Canada_Ottawa@reddit
There are some legit reasons for a 'sandbox desktop environment'.
If legit, provision a 365 Windows virtual machine that is walled off from the rest of the corporate network.
Welcome to your Windows 365 Cloud PC | Windows 365
No access to production environments / networks / assets / applications / tools / ...
Isolated on a dedicated sandbox only network, with clear expectations that everything on the network is vulnerable and expendable.
Costs, pails, shovels, crying towels, ... all are the requesting area's responsibility.
DarthtacoX@reddit
Oh I'm just going to say that first of all it sounds like you're kind of a douche. Calling people cancer and everything like that is idiotic and doesn't help anything including your outlook on people that you're supposed to be working alongside with. Second thing is it sounds like these people are not being responded to correctly if that's their response and if they often have to respond back to their managers and try to get their managers involved. Sounds like your whole department needs to work on your communication skills when it comes to standard users. These people are not idiots they're not dumb they do jobs that I'm sure you would find difficult as well. And you would question why things are being done a certain way if you are in their shoes doing their job. Having a good introduction to a new company is always the best thing and it sounds like that isn't happening very much at your company if you have that many people that say something similar to that to you on a regular basis.
Hostificus@reddit
Sys Admin you have to be a douche, it’s part of the job.
DarthtacoX@reddit
I mean you really don't. Unfortunately so many guys go into this job with that attitude and become dicks but it just is terrible. I was a very successful system administrator and I had zero issues with my users. I also have people skills and I understood how to speak to people at every level from the CEO all the way down to the newest user. Really not that difficult to learn. Now you're on my own company and have to deal with system administrators of every sort. The ones that I get in yelling matches because they can't see the trees for the forest. All the way to the end users that I work with that then have to deal with the system administrators. Luckily my business has been very successful for the last 6 years and I haven't had a need to look into going back into just administrating.
FALSE_PROTAGONIST@reddit
I agree
FutureGoatGuy@reddit
"I could install whatever software I wanted without IT at my last job."
"Cool, you're not there anymore."
FALSE_PROTAGONIST@reddit
Yep. Put it in the IT policy and have them read it and sign it on their first day
FALSE_PROTAGONIST@reddit
“K”
bws7037@reddit
When I get comments like that, unless they persist, I don't even dignify that with a response. But if they do persist, I ask questions like, "Would you allow me to insert a thumb drive into their personal computer, that I I found on the street"?
Nonaveragemonkey@reddit
I love it at a place where they transfer from another dept, and the rule is organization wide. Well that department let me do x.. No, they fucking did not let you run some no name Chinese shitty software.
StrawhatPreacher@reddit
Typically my response is "well at my last i played online chess for 8 hours a day but now I only play at lunch soopooo..."
agarr1@reddit
You dont work there anymore, you work here, this is how we do it and now its how you will do it.
jess-sch@reddit
Sometimes it's dumb users, other times it's dumb IT.
My company prevents me from putting my laptop to sleep. The only option is hibernate. This might make sense for people who don't shut down their laptops at the end of the day, but it's pretty damn stupid when I'm just moving to another room. (Also, you pretty much have to shift-shutdown the laptops once a day because otherwise all the garbage monitoring software which eats 30% of the CPU starts acting up.
hkusp45css@reddit
Forcing you to hibernate over choosing the sleep setting is best practice, not dumb IT.
The real issue is that users who have no frame of reference for what "dumb IT" looks like, because they don't know anything about enterprise IT, generally.
jess-sch@reddit
Best practice according to whom exactly? And with what justification? What specific attack is prevented by blocking sleep?
And before someone says "extracting FDE keys from RAM"... as long as I don't need to enter a BitLocker PIN, an attacker can just boot the previously hibernated laptop and then extract the FDE keys. And let's face it, most orgs (including my employer) just use TPM-only BitLocker.
Also, don't we have memory encryption nowadays?
"Best practice" once again just means "this has been drilled into my head years ago. I do not actually know why it is important to do this, and so therefore I am unable to assess whether the reasoning behind this decision still makes sense under current circumstances. but this is the way we've always done it, so we'll keep doing that."
hkusp45css@reddit
We do have memory encryption as long as you have one of Microsoft’s Pluton TPM, or Intel/AMD TME/SME. If you don't then it's still a vector. Sleep is slightly less power hungry and slightly faster to come up from. Sleep is only as secure as hibernate if you're employing BL+TPM2.0+PCR validation+SB+UEFI. If you're missing (or misconfigured ANY of those, there's no benefit.)
Finally, and this is my personal experience, but hibernate tends to cause less problems compared to sleep. The wakeup from sleep is one area that is always a little glitchy. Hibernate seems to just work.
So, hibernate was the original best practice. There are OTHER best practices, if you have the ability to leverage them (BL+TPM+SB+UEFI).
Hibernate is also STILL best practice if you: Have data that is controlled by regulatory orgs. pre-boot auth is needed. If device theft is a credible risk.
As an aside, I really take exception to the idea that people who feel one way about something are just holding on to their antiquated misconceptions. In a LOT of cases other people may have different opinions from you because their experience, environment, sector or regulation of those things make those decisions make more sense to them than they would to you.
I work in finance, we're pretty heavily regulated.
We chose to hibernate, on purpose, because it matched our posture. Not because I was simply unwilling to let go of my 30 years of IT experiences.
Smith6612@reddit
Many do this to keep the BitLocker or Encryption Keys from persisting in memory while the system is in sleep mode. Hibernate is more trustworthy, as it returns the responsibility of accessing data back over to the TPM.
Newer systems support Memory Encryption at the chipset level, which should absolutely be turned on! However, HP and Dell have mixed support on enabling this using scripts with the BIOS deployment toolkits they have.
ZeroOpti@reddit
Did not know this, and may be why my old laptop would never go to sleep!
Hostificus@reddit
My VPN crashes if I sleep. So I have screen off if I close the lid and carry 3 Anker power bricks I use as UPS when the laptop is in my bag.
megasxl264@reddit
"This is not your previous and if you'd like it to be go speak to HR"
Grrl_geek@reddit
Funny you bring this up today! We lock down a lot, too, and today had a particularly snarky user reply *in a ticket* exactly what they thought... it sparked an hysterical teams IT thread which helped get this day off on the right foot. Our mild-mannered director was dropping "poop" emojis in the thread which was uber funny!!
BituminousBitumin@reddit
Having a policy to point to while shrugging is awesome.
The_Koplin@reddit
I have one particularly toxic user who is in a semi influential job. Handles grants, "planning" and other sorts of things. So far he has fractured our department, removed physical storage and overall damaged the ability of IT to preform functions.
Simultaneously he has pressed for Teams, when our VDI system is tuned and setup for Zoom. He has pressured junior staff for software installs on his laptop, and overall been very manipulative. No one on the team wants to deal with him anymore. He says things like "I was 'IT lite' at my last job". (His last job was happy to give him a glowing recommendation to get rid of him). To get him off my back I gave him limited admin to the Teams side, still bitches that it doesn't work. Then go fix it buddy, I don't care. We have a working and supported solution your actively choosing not to use.
He is one of those users that will keep pressing for something and then trying to work around policy and process just to get his personal desires fulfilled.
All of that came crashing down the other day. For weeks he has had a ticket open about an email issue. "The firewall is blocking important emails and its hindering my job". I even escalated this to Microsoft since the sender and us are O365 customers. The issue, the sender messed up their SPF, or Microsoft has something messed up sending for that tenant. Try to explain it and nope he says the emails get delivered to his other accounts. (RED FLAG!). Then he says he is using his personal home email to get these messages and doesn't like that option. Told him, thats on him for sharing it and to tell his vendor to fix their email system/spf.
He goes on to say (in an email) since IT isn't helping he is going to create another email address on another system and use that. I kicked that to my boss, his boss and HR. Now he mopes around like a beat puppy because he outed himself for violating company policy. Final nail in this, my boss said, ANY request or communication to or from this person is to be routed to him ASAP and we are not to engage.
So in summery, yep!
metalblessing@reddit
Its amazing when they types of users who should know better or deal with the most sensitive data do the stupidest crap. I've on several occasions had a nurse call us asking to help add a doctor's shared calendar to her outlook. I say sure and hop on only to see that its a freaking invite to a gmail calendar.
I tell them "no, we are not going to support putting patient data into gmail" I then let the CEO know and let her deal with that. It never ceases to amaze me how many people with medical degrees can spectacularly fail to acknowledge HIPAA
Carlos_Spicy_Weiner6@reddit
Irrelevant, because here we do shit correctly. Got a problem with it, file a complaint with HR.
povlhp@reddit
Don’t have that issue. But we got lots of thank you for protecting the company and me when we block users or force them to change passwords after they become high risk.
dub_starr@reddit
cmonn, give them some grace, they got used to being able to do something at a previous place of work, and want to continue doing it. if after the first time they still do it, then they can GTFO
justgimmiethelight@reddit
I’d just say, “new job new rules”
justcbf@reddit
Wait until you have a boss who has that as a standard response to almost everything. Managing up is as much of a skill as managing down, but very different
Glittering_Wafer7623@reddit
Yesterday someone called because he couldn't install his Matrix screensaver, and yep... "I could do it at the last place I worked". Fortunately, leadership here is pretty security-conscious and very concerned about compliance (we're a highly regulated industry), so I never get pushback for being "too strict".
patthew@reddit
Screensavers in 2025 is crazy, just sleep your display.
madknives23@reddit
Nails meet chalkboard. I hate this so much. Go back to your last job then!!
patthew@reddit
Hell, I’ve seen this within IT. Someone new comes aboard and tries to introduce some nonsense workflow or process, and defends it like “well we did it this way at my old company just fine.” Ok man, why are you no longer at that job?
mgb1980@reddit
“We don’t compromise our security to compensate for someone else’s technical ineptitude”
I may have used that, or slightly less harsh variants, to 3rd party IT folks who want to argue that we should whitelist their domain because they cannot configure DKIM/DMARC/SPF correctly.
Sung-Sumin@reddit
I just stay silent until they start to complain about something else.
DocDerry@reddit
Default Answer: Why did you leave your old job?
hkusp45css@reddit
I once answered "will they take you back?"
My boss was trying very hard to keep from giggling while she "counseled" me on my professionalism.
Otto-Korrect@reddit
We've done a few mergers and have always been the bigger partner. You should hear people complain when we say "As of Monday, these will be your new security rules. None of these items is optional."
Otto-Korrect@reddit
We are a bank, and often hire people who have worked at other banks. From what they tell me they could do at 'their other job' I'm amazed they haven't been shut down by auditors.
Running as admin, writing passwords down on scraps of paper, installing any old software they find online, and so much more.
Sample-Efficient@reddit
No USB devices allowed is unworldly. I'm an admin and resposible for a lot of shit, but security doesn't end in itself. We provide resources for the productive ppl to get their jobs done.
HotTakes4HotCakes@reddit
Oh look, yet another opportunity for this sub to circlejerk themselves raw about how beyond reproach their policies are and little they care about users.
hkusp45css@reddit
I mean, this sector is a magnet for misanthropes.
Velvet_Samurai@reddit
I've heard that before and I just say, "Well your old job was wrong, they should be ashamed of themselves. They sound like complete amateurs."
Or something like that.
meagainpansy@reddit
"We protect our lUsers here"
HotTakes4HotCakes@reddit
Or they had different use cases or risk management strategies?
FatBook-Air@reddit (OP)
Most of the places these people are talking about have never uttered the phrase "risk management strategy."
Fresh_Ad4765@reddit
For me it's mostly "we had unlimited Outlook storage" Buddy archive some shit you have 4,000 unopened e-mails.
AdmMonkey@reddit
Most of the times I will reply with something like, they were dumb at your old job... But still worth listening even if they are annoying most if the time, sometime they have a point.
Ssakaa@reddit
It's important to always start from "they have a point". That point may be based on wrong assumptions or bad information, or it may simply not apply in your environment, but they have a point. Usually that point translates to a valid point og "this control is inconvenient", which is always worth considering now and then. What in the process can be streamlined, et. al. And, "we can't do that, but let's run through this process a couple times to find the delays, see if we can work on those" is drastically better than "you're dumb, go away."
hkusp45css@reddit
I refer to this as the "yes, but..." rule. I don't tell people we CAN'T do something. I tell we can do something BUT there are constraints.
If someone asks "can I be local admin?" I don't say "no" I say "what are you trying to accomplish and what exactly is in your way?"
This way I'm not the asshole telling people "no." I'm the reasonable one who wants to solve their REAL problem, while they're shrieking like a loon that they want to toss out our security posture because they like to keep their cell phone in their purse or the console of their truck.
HotTakes4HotCakes@reddit
You're in the wrong subreddit to imply users may have a point sometimes.
Ssakaa@reddit
Nah, just another variant of an RCA to do. They have a point, but it's rare they have reasonably identified it.
weed_blazepot@reddit
"We have strict client requirements."
djl0076@reddit
People who insist that they need their doman account to have local admin rights piss me off.
No, no, you don't.
Hell, all of us in IT followed the same rules. In addition, none of our domain accounts had domain admin rights either. Everything was done by escalation
At my last employer, we were quite lenient. People with a proven need were given local accounts with local admin rights. If they abused them, then they were removed. One sales engineer insisted that he needed them. The VP of sales got it approved.
He called me one morning in a panic. He had let his son use the laptop, and it was royally messed up. It was a Thursday, and he was traveling the next day.
I spent nearly 10 hours remotely fixing it. I almost gave up and wanted him to ship it to me, but I finally fixed it.
I should have told my manager but I let the case notes speak for themselves.
At home, I've done this since Windows NT Workstation 4.
To this day, it angers me that Microsoft makes the user you create during a new install an admin.
EstablishmentTop2610@reddit
I hear you, but also sometimes defending the security measures we take helps to keep the userbase informed, or at least the ones that will care
Dave_A480@reddit
I don't know - companies can come up with some pretty redic security requirements...
For example:
1) We use smart cards for account auth
2) We also segregate Windows admin access via separate smart cards (eg username.adm01 with a separate card)
This is all fine and dandy so far, but...
3) If you do not have an admin card & need to manage things that use AD auth, you can get a password exception for your primary (regular user) account (so you can have both a password AND a smartcard - say to log into Linux/appliance/etc things over SSH)... However, if you have an admin card/account you can't get a password exception on your non-ADM account no matter how much stuff you may need to access via SSH using your non-admin-account-username (Because admin accounts are only for Windows).
It's like the people making the infosec policies are all click-ops Windows types & don't know shit about the rest of the IT universe that doesn't do Remote Desktop (or desktop anything, really)....
JBear_The_Brave@reddit
Brand new sales guy:
"How do I go about getting some personal databases on this laptop?"
Whatever the hell that means, you don't.
Dude was flabbergasted. Turns out it was an excel template he liked to keep customer information on. If you don't even know what you're asking for, don't be shocked when the answer is a resounding NO
Few-Dance-855@reddit
I used always say “that’s cool” then walk away 😂
mr_data_lore@reddit
"Feel free to go back to your previous job then."
IntelligentPurple571@reddit
"why can't I install stuff? I had admin rights at my last job and used to handle IT tasks"... I don't understand why people can't accept it or continue to bother me when I tell them I enforce the rules, not make them.
Hostificus@reddit
My previous job used G-Suite Business and allowed local admin. Our VPN client EXE could be downloaded from our G-Suite and our computer login was the VPN login, no MFA. Did government contracting…
Affectionate-Cat-975@reddit
then maybe you should go back to work there
Layer7Admin@reddit
Your own company doesn't make policy here.
Dogupupcouch@reddit
I often like to defer to other "sources of authority" like Microsoft or a Company Policy and empathize with the annoyance since they are often just looking for some empathy when MFA made them late clocking in or added stress getting ready for a presentation. They don't need to know that I wrote the company policy on data security or that I could override certain settings in the tenant, just something external to point to so we can all make it to tomorrow.
If it's someone with power or say in the organization, I'm more likely to tear into them on regulatory, legal, and security factors that they need to be mindful of. The Private Equity firm backing us actually gives a cyber security score to anyone they are funding with random audits, so that helps a LOT in keeping upper management buy in.
Ganjanium@reddit
“Oh wow, we don’t” is usually my reply. I never get much of an argument either lmao
Optimal_Law_4254@reddit
I’m not ready to call frustrated human beings cancers. I get where both sides are coming from. My stock answer for them is to understand their frustration and tell them that I am not the gatekeeper. I then share the link for the exception process. If your company doesn’t have one, refer them to the head of your IT security or your manager. Let them be the bad cop.
webguynd@reddit
I just say "Huh, interesting." and that's it lol. Waste of time to argue, or explain, or educate. They won't listen anyway. I don't have the time, energy, or even obligation to explain policy or reason to end users, unless they are nice and genuinely curious.
But yes, I agree with you on other companies tightening up. There's an appalling amount of incompetence and laziness out there. Especially small businesses that have a shitty MSP, nor no IT at all outside of the owner's brother/sister/cousin/friend. It's weekly at this point we get spam emails from one of our customers that have been compromised because they don't bother to use MFA.
IamHydrogenMike@reddit
This is basically the saying their friends parents let them do something that you won’t let them do and they should grow up; be an adult.
thewaytonever@reddit
I just say "Neat, things are different here. You can email X person if you want to have it changed."
beren0073@reddit
“Is your previous job in the room with you now?”
duderguy91@reddit
Krigen89@reddit
"Cool."
bhillen8783@reddit
You don’t have to be the best in terms of security, you just have to be better than the companies who don’t use controls at all.
BadSausageFactory@reddit
That's very interesting but was there anything else I can help you with?