Local Machine Admin rights?

Question

What is the opinion of everyone out there about having local admin rights for a developer on their local machine? Or at least the ability to do it such as through runas without having to rely on someone else?

Answer 1

I think it is a good idea. I'm for it. For all the development teams I have managed, I have insisted on it from IT.

Also, I usually push for rights to allow programmers to temporarily disable on-access virus scanning on their workstations.

Answer 2

I've found that most development tools require the user to be an admin to work correctly in all cases. It's a little annoying since, as a developer, we should switch to a non-admin account for testing, but it's doable.

However, if your question is "should we have to be an admin user to use our tools," then my answer would be no. Unless you're writing a driver, there's really no good reason (that I can think of) where an admin account should be required.

Answer 3

Absolutely necessary. And regular users should never have admin privileges.

Answer 4

Regardless of what the opinions of people here are -- and I think it's a pretty safe bet that most developers are going to think they need admin rights -- the question of whether your developers actually get admin rights is in the end going to come down to a complex interplay of politics, security policy, and Clue distribution at different levels of your organization.

In other words, if you're trying to poll the crowd here to get ammo for an argument, you've probably already lost...

Answer 5

This may depend on what you are trying to achieve and if any COTS products you are using require adminstrative priviledges. This might be required to use the product or to get it to run in your enviornment correctly.

For the developers in my area, they have to be approved for admistrative rights for their local box. It has been helpful in trying to troubleshoot issues, but has not always been necessary.

Some reasons you may not want them, would be if the user might not have those rights or priviledges. This might help find errors or issues, such as writing data to directories where the user might not have any priviledges. Depending upon where it is being install, there may be restrictions on the users priviledges, so not having priviledges may help in making sure it will work in the intended environment.

Answer 6

It depends on what you mean by "Developer".

DO NOT Grant Local Admin if...

Your "Developers" take business requirements and translate them verbatim into program code, in a well-developed, proven environment.

DO Grant Local Admin if...

Your "Developers" are Software Engineers that have the freedom to be creative, find new solutions, challenge the status quo of the software development process.

Answer 7

Depends on what you want your developers to write. For example, as a proof of concept, I fired up Eclipse + Apache + MySQL + Php (XAMPP) on a machine where I didn't have admin rights and I was able to do a lot. On the other hand, there is no way I'd be able to do effective ASP.NET + SQL development on locked down/no-admin-rights machine.

Also, if the code under development has to operate under no-rights, it can be useful to develop that way, e.g winforms apps.

Otherwise, as a practical matter, if the network admins cripple the corporate machines enough, developers will stop using them and use their personal machines, the suits will stop asking internal developers for work and start hiring outside contractors (who do own machines they have right to). I've seen the these patterns, too.