How to Keep Your Employees Happy With Their Company PCs (Without Losing Control of Your IT)
By David Murphy
If you’re a typical small-business owner, you don’t have a centralized provisioning system that can easily and automatically deploy each desktop or laptop system. You might not even have a dedicated employee, let alone a whole department, to manage your IT resources. And you probably give each user their own local login, instead of using a centralized authentication server. In other words, your employees have the keys to their local computer kingdoms. And that means they can do just about anything on their machines: Install new applications, install undesirable applications, change settings, and perhaps even unintentionally corrupt the Registry or download malware.
Giving your employees the freedom to try new tools, listen to music while they work, or visit social media sites in their off time will improve their morale and enhance their productivity. But that flexibility can quickly lead to disaster if they wind up ruining their computers, bogging them down with garbage apps, or worse.
So how do you balance keeping your employees happy with maintaining control of your company’s assets?
One strategy is to deny your employees all administrative control over their computers. Such a restriction would reduce the risk of your computers being waylaid by buggy apps and malware, because no one would be able to install anything. The drawback is that you–or your designee–would have to do all of the installing for them. That can be a time-consuming process, especially if you’re deploying a new application to your entire workforce–even if it’s just a handful of employees. Then you have to consider periodic security patches, bug fixes, driver updates, and upgrades. And don’t forget the need to install drivers and software for new peripherals, such as printers and scanners.
Granting Administrator Access
Instead of managing everything yourself, you can take a number of steps to bestow administrative rights to your employees without losing complete control over the computers you’ve provided.
Before you open up everyone’s computer for unfettered use, establish a baseline software environment that will be standard for each staffer. Set a policy that allows employees to augment their computers with new applications but prohibits them from uninstalling or disabling the baseline programs–especially the antivirus and antimalware tools, a secure Web browser, an office suite (unless you use a cloud app, such as Google Docs), and whatever proprietary software your small business needs to function.
Then, use an application such as DriveImage XML (free for private use; a five-user commercial license costs $100) to clone the system drive on each class of computer you’ll deploy. Your goal is to create an image of each type of desktop system in your office, from standard administrative machines to function-specific desktops (video-editing workstations, for example). If disaster strikes or an employee renders their computer unusable, you can quickly restore it to its original configuration.
You should also establish policies and procedures that employees must follow to minimize the chances that they’ll disrupt normal business operations. For starters, establish a policy that every employee must create a Windows user account, in addition to their administrator account, and that they must sign in under that user account at all times unless they’re performing functions that require administrator credentials. This policy will help prevent rogue applications from gaining privileged access to the operating system. You should also dictate that all employees store their work-related files on a shared network drive (located on a server or NAS box), and that they keep personal files in their personal cloud storage (Dropbox, SkyDrive, and the like). Inform them that the personal data will not be included in the mandatory scheduled backups.
The Power of Group Policy Editor
Local administrator privileges seem unstoppable, but there is a means by which you can exert fine control over the Windows operating system. The secret is to use Windows 7’s Group Policy Editor. Log on with the user’s admin credentials, and type gpedit.msc in the Windows search box (you’ll find it in the Start menu) and then press the Enter key. From here, you can disable access to critical Windows elements entirely–including the Control Panel–or you can choose which components you wish to allow your employees to modify. For instance, you might give them the ability to switch screensavers, but not to change printers or uninstall programs.
Don’t discount the power of the Group Policy Editor. If you’re the slightest bit hesitant about letting employees run wild on their systems, this handy Windows feature offers the ounce of control you need to keep your systems running smoothly. You’ll find all of the settings worth browsing and editing under Group Policy Editor’s ‘Administrative Templates’ folder in the User Configuration menu.
You can also block access to specific programs installed on a Windows machine; just open the Group Policy Editor and navigate to the System folder under Administrative Templates in the User Configuration setting. Double-click the Don’t run specified Windows applications option, enable the policy, click the Show button (it’s near ‘List of Disallowed Applications’), and then type in the names of executable application files (such as uTorrent.exe) as values.
This method won’t prevent industrious employees from renaming their favorite peer-to-peer programs to, say, “hatemyboss.exe” and running them, which is why you might want to combine your Group Policy edits with some additional changes at the network hardware level. You could, for instance, go into the configuration panel of your primary router and change the firewall settings to block access to all ports for your employees’ systems, save for those required for the computers to actually work–such as traffic on ports 110, 53, 25, and 80, to name a few. This is a nuclear option to prevent employees from turning your small-business environment into downloading central, but it is worth considering if peer-to-peer misbehavior is an issue at your workplace.
Finer Administrative Control
If your systems are running either Windows 7 Ultimate or Windows 7 Enterprise, you can make use of the operating system’s built-in AppLocker feature. Accessible via the Group Policy Editor, AppLocker provides even finer control over the items that system users can run on their machines. For example, instead of just blocking apps by executable name, you can go in and block apps by publisher, file path, or file hash. The file-path option is especially useful if you want to block all access to a digital download service–such as Steam–that puts all downloaded programs into a specific directory.
Do you need a third-party application to control your users’ activity on their systems? Not really. However, if you discover that recalcitrant employees with administrator privileges are circumventing your Windows-based access controls, you might want to look into stronger solutions. For example, if you install Faronics’ Deep Freeze ($35.50 per year) on employee machines, the program will restore each system to an identical snapshot every time the PC restarts. Or you could provide staffers with a virtual desktop that would give them the freedom to install their personal programs in a sandboxed environment.
As long as you’re willing to invest a bit of time setting up the right configurations, granting your employees administrator privileges on their small-business PCs won’t necessarily lead to chaos. You can even control admins without making your employees feel as though they’re working under parental controls from nine to five.