Mark Russinovich is a Microsoft employee; you may have heard of him. On a recent blog post he describes how his Autoplay feature in Vista stopped working due to a Group Policy update. Mark, being a coveted local administrator on his laptop (a work-assigned one, as implied by the post) found the setting to re-enable AutoPlay. And to prevent Group Policy from reverting the setting back to what his admin wants, he opted to block it by adjusting permissions.
Now, Mark likely has a work-related reason to use AutoPlay, and took steps to get his work done (giving a demo of the feature) by circumventing his admins and likely corporate policy. And then posted this for others to see and learn from, both technically and by example.
A local administrator is the master of the computer and is able to do anything they want, including circumventing domain policies…and that’s just one more reason enterprises should strive to have their end users run as standard users.
So, is Microsoft wrong for allowing someone like Mark to run as local admin? Or is Mark wrong for circumventing that trust? For lesser employees, I would be more forgiving, but Mark full well knows what he’s doing. Likewise, if anyone qualifies for local admin rights on a corporate-issued laptop, Mark is the least of your worries. Should Mark work with his GP admin to either do this better or make Mark an exception (admins love exceptions)? Things that make you go hmmm.
I just find this all unintentionally funny…and a horrible grey area for us professionals.