Do You Restrict Your Client Stations?

I was wondering what you all do with your Client stations ?

Do you restrict certain access to them to prevent the users from fudging up the station or do you just get a standard windows image and just install the client software and let them be?

And if you do restrict them, in what manner do you do so ?

Of course it depends on the user. In larger organizations where there are some seriously talented people, very typically someone in the organization has full admin access. We let the client determine that. They paid for it. I would not presume to make that decision for them if they have the requisite skill sets. If it were, say a car dealership, I might wall them off from some things yes. A convenience store, definitely, but they probably would not have a VMS anyway.

When also engaged for IT services, we tighten the screws on everything.

Where the IT departments are frowned upon, (to big too and/or unresponsive) we do create a cusadmin accounts, needed user accounts, and or auto login accounts with local group policies that remove all menu access and auto logoff policies too.

It can also be a case where the IT or other departments should have ZERO access to the systems.

It can also be a case where the IT or other departments should have ZERO access to the systems.


Do you typically get asked by the end-user (owner, upper management) to restrict access, or lock out other departments? If so, do you ask for that to be put in writing? Do you hand over all credentials and configurations that you created to someone within these organizations?

I ask because I have worked with, and sub-contracted for, a number of integrators that believe that they can restrict access in these ways to avoid service calls / service issues (when the customer is on an MSA) or to limit the customer's ability to choose another integrator. I always found this to be odd. I have always been of the opinion that once the system has been sold to, and paid for by the client its their baby. I will do anything the customer wants as long as the request was within my SoW and signed off on.

Yes, within an organization where they restrict access from users, departments, etc. there is a user that has all of the credentials, we maintain a master copy too. The policy you list below is very common in the IT support industry. " limit the customer's ability to choose another integrator."

Being asked for the administrator password is a sign of being shopped. It's also a sign of they forget where they put the envelop or where they saved the keys. In any event, withholding that information is risky and could have legal repercussions.