Are These Stupid Business Network Decisions or Standard?

[Hurican7]

Hi all! I am attempting to make some informed decisions and persuade certain individuals in a manufacturing company, but am looking for some data to see if I am on the right track or not. I will be posting this on reddit later to try to get as much insight as I can. 

 

Background: Small American metal fabrication business, roughly 20-30 employees throughout my time here. Our goal is to be scalable for growth. I’m going to simplify things here for the sake of brevity.

From a traditional point of view, an office worker would do everything to complete a sale. (He would set up the sale, do the engineering/pre-production work, and then pass on the needed documentation to the production floor so the parts would be made.) However, the business has grown, CNC machines are involved that require technical knowledge to run/program, and the company has expanded into making more sophisticated products.

 

People need to collaborate on the same job, but there is no enforceable workflow standard. Each person stores their mission-critical network files in whatever way they want in an open Windows environment. Files have been moved/renamed/deleted/lost many times.

 

To combat this, we are trying to implement SolidWorks PDM to lock down the engineering workflows and documentation standards. However, a lot of this is still predicated on network permissions since some people will need to look at/physically print documents that they have no business altering otherwise. This includes senior management, who sees their ownership of the company as a God-given right to Admin status to change whatever files they want whenever they want, install software, etc.

 

(IMO they do not have the technical ability to do network management or for the CNC machine files, but as the owners, I guess they do have the legal right to rip the servers out of the racks and burn them whenever they want. Example: A secretary had a problem with a piece of software, so a high level manager called tech support and then needed to enter network credentials. He got mad that he had to enter a password he didn’t know, when in reality he has two network admin users/passwords that he didn’t even recognize would work for this.)

 

There are about two full time engineers, as well as two to three seasonal or part time engineers/CNC programmers on the network at a time, usually working on related projects. There are an additional 5 network users in the office/management.

 

Please vote at the links below:

"Should the owner have full Admin privileges on the company network?"

https://www.strawpoll.me/17082111

 

"Should the different departments be separate or intertwined?"

https://www.strawpoll.me/17082119

 

Please feel free to explain your opinions or suggestions.

Thanks for everything and for reading this post, it means a lot to me. Thanks!

[KuJoe]

For a small company of 20-30 employees it would be best to have everything separated by job duties, but the owner should still have full access to everything even if he doesn't need it since he's the only guaranteed employee for the company (if he fires the people with the domain admin accounts and he doesn't have one he's screwed). Trying to make a change like this for a small company who has done it one way for a while is really difficult and would probably cost more money (in the form of software and time) in the beginning, but eventually it would be beneficial so you should push for some form of order or standards. At the very least have a single file server with Shadow Copy enabled on the shared folders for employees to use as a start to be able to recover deleted/renamed/edited files, then move on to groups/roles to lock down permissions.

[AngryBeaver]

If it was me.... I would GTFO and find somewhere better to work. A company being ran that way isn't going to see booming growth. You can probably find a job similar to what you do now for higher pay and much better quality and control standards.

 

To answer your question that setup is definately not best practice, but as stated above with a company that small they will not likely see the value in changing what they are doing. This is a problem in bigger companies too... people just don't like change.

[Radium_Angel]

1 hour ago, Hurican7 said:

opinions

<-- Professional IT admin here.

 

Here's the proper way to do this:

*Everyone* is a limited user. No install rights. Period. No exceptions.

IT has Admin rights.

Software is managed by a local repository (I use Kace K1000, flawless for this) and documented/tracked. This includes critical info like licenses, for auditing purposes

Data is stored on a NAS, with tape backups. Mapped drives in user log-in script 

Active Directory gives users right to some directories they need, and not to others they don't.

 

This accomplishes several tasks:

Streamlines daily support, allowing users to concentrate on what they are supposed to be doing.

Eases IT work, allows for proper backups in the event of errors.

Minimizes virus/unknown software issues.

Allows for a central repository of knowledge about what is going on with the business.

 

[Pixel5]

honestly this sounds to me like you are trying to solve a problem from the very top on while everything below it still not clear.

 

the IT tools and environment are chosen based on the defined processes within the company, the single biggest mistake you can make is trying to force a workflow by doing a specific IT thing when what you really want is that a workflow is defined with the management from the business itself and then they specify what they need from the IT.

 

The company i work for has its own department just for this where i worked for a while called Corporate Business Process Management, we dont define the processes on our own we guide the Business itself through it and then make sure our tool align with the process.

 

Now this company is probably not big enough to justify its own CBPM department but you should still at least define certain interactions and standards, in the long run this saves huge amounts of money cause of all the customer complaints you can prevent by having your internal processes streamlined and fault proof.

[leadeater]

19 hours ago, Radium_Angel said:

Mapped drives in user log-in script 

You should move away from login script for tasks like that, GPO can do all the network drive mapping natively as well as printers. Would be a very rare occasion I'd use a login script, if I need to add reg keys for certain things again GPO can do that and if you need to filter their application then Item Level Targeting can handle it.

 

 

[chiller15]

On my network, only us actual IT admins have admin rights. Though you are at the bosses mercy and they do have the right to demand admin status.

 

It would be your job to give them all the information they need regarding the risks and why it isn't good practice to have non-IT staff as admins, but that's all you can do. Provide them with the best advice as possible. Whether they listen to it or not is up to them.

 

If you refuse to give them the permission, they are within their right to find someone else who will. It's a horrible position to be in, but I have seen that happen before.

[Hurican7]

I think the best way to proceed here is to let the owner maintain admin status, but move everyone else into a less-privileged user group. Make it clear to the owner that he still has the keys to his kingdom, but these elevated user rights should be used as a nuclear option for rare occasions.

 

This way, he can lock out fired employees or retrieve any material he wants without having to go through an individual IT guy. This way, even if he fires the IT guy, he still has the ability to give the new IT guy the tools he needs to pick up where the previous guy left off. However, outside of these circumstances, he shouldn't need to use the full admin privileges often.

 

I think I could get the COO to do a departmental audit so the different groups of people stay in their wheelhouses more - including himself, the owner, and the one/two other main managers. This frees everyone up to do their jobs better - business management, sales, engineering/CNC programming, and to a lesser degree production. If the business managers aren't doing much engineering, they can focus on business decisions. Engineers will have more time to prep production instead of looking for misplaced files.