Have You Properly Set Administrative Permissions and Privileges for All Your Employees? 

You don’t want just anyone snooping around your network, do you?  Nor do you want all your employees to have access to financial records and other confidential information.

As the owner of a business, you must ensure employees have the access they need to do their job, and nothing more.  The way you do this is by setting up permissions and privileges for each of your employees, with different levels of access based on their position in your company.

Administrators

Administrators can make changes to your network’s configuration, add and remove programs, access all files, and manage other users. They have the ability to set permissions for users on your system.

Administrators manage all the permissions granted to your employees. They have the ability to make operating system changes, install new software, use devices and create and modify user accounts. Make sure only certain trusted users have administrative privileges. This is necessary from a security standpoint.

Administrative privileges are associated with your or a particular user’s account. Administrator users are allowed these privileges while Standard users aren’t.

You shouldn’t use your administrative privileges all the time because you might accidentally change something you didn’t intend to (like delete a system file). If you had administrative privileges all of the time, you might accidentally change an important file or application by mistake. Only using your administrative privileges temporarily, and when you need them, reduces the risk of making mistakes

Each user should be granted different permissions for what they need to do on your network, computers, and applications.

Permissions and Privileges

Permissions are access details given by administrators that define access rights to files on a network. Administrators give users permissions to access specific resources on the network, such as data files, applications, printers, and scanners.

A permission is the property of an object like a file, where users are permitted to read, modify, etc.  Folder permissions include things like Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.

A privilege is a property of a user where they are allowed to do things like performing maintenance functions.  For example, an employee who works for your customer service department may be assigned privileges to view a customer’s information that is blocked from other employees.

Permissions and privileges can be granted by owners, administrators, and users with the authorization to grant permissions (typical administrators on a system).

You don’t want to give every user free range where they can access all the same files.  You want to manage whether they can add or remove programs, or surf the web freely. Because if someone goes to a site that’s corrupt or includes a virus, your network could be compromised. 

How This Works

Permissions are also applied to secured objects, such as files and folders, Active Directory objects, services, or registry objects. Permissions can be granted to a user, group, or computer. You can assign permissions to objects to the following:

• Groups, users, and special identities in the domain
• Groups and users in the domain and any trusted domains
• Local groups and users on the computer where the object resides

The permissions that are attached to an object depend on the type of object. For example, the permissions that can be attached to a file are different from the permissions that can be attached to a registry key.

When there’s no requirement to have permission to perform an action this termed an automatic privilege. For example, after logging in to a system, logging out won’t require a privilege.

A granted privilege is usually accomplished by logging onto a system with a username and password, then the user can be granted additional privileges.

When assigning file and folder permissions, administrators should keep the following in mind:

• “Read” is the only permission needed to run scripts.
• Read access is necessary to access a shortcut and its target.
• Giving a user permission to write to a file but not delete it doesn’t prevent the user from deleting the file’s contents.
• If a user has full control over a folder, the user can delete files in the folder regardless of the permission on the files.
• If no access is granted, or it’s denied, a user is denied access.

Users who have been delegated extra levels of control are called “privileged” users. Users who lack most privileges are defined as “unprivileged,” “regular,” or “normal” users. 

Denials of Permissions

Permissions can also be explicitly denied. For example, you might want to allow your administrators to perform an action, but deny this to other users. This gets complicated though—If you explicitly deny domain users, you also deny any domain administrators who are also domain users. (Because many get confused here, you should probably avoid the use of explicit denies unless absolutely necessary.)

If you aren’t sure if you’ve set up the proper administrative permissions and privileges for your business users, contact ✅ IT Services By Colorado Computer Support. We’re always happy to help.  Call (719) 355-2440.  Or email us at: blake@coloradosupport.com