Help Desk Operations for Clients Without Admin Privileges

Tim Guilliams

Bob Beane

2 Managed by UT-Battellefor the U.S. Department of Energy

What is Least User Privileged (LUP) computing environment?

• LUP refers to the concept that all users should run their computers with as few privileges as possible

• Benefits of LUP

• Less to do.  Systems that are LUP’ed will be 100 percent maintained by the IT department.  Over time you, will see the pop-ups to install software such as Adobe, Microsoft and other products go away.  This is because IT now has the sole responsibility to manage the patches to your computer.

• Better system security.  With limited access rights, malicious code will not have access to perform operations that could crash a machine, or adversely affect other systems.

• Better system stability.  Running LUP gives users increased protection against inadvertent system-level damage.  100 percent of the Human Resource department is running LUP, and we have seen a decrease in overall call volume to the ORNL IT helpline. 

• Ease of deployment.  The fewer privileges an application requires the easier it is to deploy.

3 Managed by UT-Battellefor the U.S. Department of Energy

Redneck Fire Alarm

4 Managed by UT-Battellefor the U.S. Department of Energy

Agenda

• Planning

• Staffing

• Tools

• Help Desk Impact

• Client Impact

• Looking Ahead

5 Managed by UT-Battellefor the U.S. Department of Energy

Planning

• Communication– Technical change & expectations

– Agents involved in daily actions, message boards

• Ticket System Changes– Tracking LUP issues

– Monitoring daily LUP numbers

• Phone Capacity– Capacity to handle increased call volume

– Ability to add agents quickly

• Equipment Availability– Computers

– Desks

6 Managed by UT-Battellefor the U.S. Department of Energy

Staffing

• Normal Staffing Level– Helpdesk– Field support– Training lead time

• Adjusted Staffing Level– Temporary Labor– Subcontracting

7 Managed by UT-Battellefor the U.S. Department of Energy

Tools

• Administrative Rights for support– Helpdesk/Tier 1– Field Support/Tier 2

• Scripts from SCCM

– Local Admin Elevation• Part 1

• Part 2

• Remote support

– Admin Group Pilot• Active Directory Group

– Techs add themselves for temp admin rights

8 Managed by UT-Battellefor the U.S. Department of Energy

Run Advertised Programs SCCM

Tool to gain admin rights for support

9 Managed by UT-Battellefor the U.S. Department of Energy

Requesting Local Admin - Part 1• Helpdesk elevation process

10 Managed by UT-Battellefor the U.S. Department of Energy

Requesting Local Admin - Part 2

• Self-help elevation tool

11 Managed by UT-Battellefor the U.S. Department of Energy

Remote Tools • Bomgar

– Improved support for additional incident types

12 Managed by UT-Battellefor the U.S. Department of Energy

Tools

• Administrative Rights for support– Helpline/Tier 1– Field Support/Tier 2

• Scripts from SCCM

– Local Admin Elevation• Part 1

• Part 2

• Remote support

– Admin Group Pilot• Active Directory Group

– Techs add themselves for temp admin rights

13 Managed by UT-Battellefor the U.S. Department of Energy

Call Volume• What we expected

– Quadruple in daily call volume

• What we got– Almost double volume

1/59/55/51/59/55/51/59/55/51/59/55/51/59/55/51/59/55/51/59/55/51/59/55/51/59/55/51/59/55/51/59/55/51/59/55/51/59/55/51/59/50

50

100

150

200

250

300

350

400

Opened Tickets by Day

14 Managed by UT-Battellefor the U.S. Department of Energy

Ticket Volume - Trends

May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr0

500

1000

1500

2000

2500

3000

3500

4000

4500

5000

Total Tickets

FY09 FY08

15 Managed by UT-Battellefor the U.S. Department of Energy

Incident Increase

• Type– Software installation– Printer drivers– Cyber Security Requirements

• Impact– Increase in cycle time– Decrease in meeting general SLAs– Huge backlog development

• 3 - 4 months and a contest to bring down to normal

• Still working through lingering issues (it’s a process thing)

16 Managed by UT-Battellefor the U.S. Department of Energy

Client Help for the “simple stuff”

• I know how to do this, why do I need help?

• Common user tasks– Remote desktop– Defrag– Printers– Root file access

17 Managed by UT-Battellefor the U.S. Department of Energy

Where we are headed

• Adjusting Staffing levels

• Modifying support model for more remote support

• Improving tools– Remote support

• Bomgar

• SCCM

• RDP

– Admin access• Improved Tools

18 Managed by UT-Battellefor the U.S. Department of Energy

Other ORNL Presentations of Interest

SharePoint• Monday, 11:45-Using SharePoint UI to Deliver General Use Applications, Connie Begovich• Tuesday, 11:45-SharePoint at ORNL, Brett Ellis 

Cyber Security• Monday, 1:30-Development of a Process for Phishing Awareness Activities, Philip Arwood & 

John Gerber• Monday, 2:15-How I Learned to Embrace the Chaos, Mark Lorenc• Monday, 4:15-TOTEM:The ORNL Threat Evaluation Method, John Gerber & Mark Floyd

Desktop Management• Monday 4:15-On the Fly Management of UNIX Hosts using CFEngine, Ryan Adamson• Tuesday, 11:00-Implementation of Least User Privileges, Doug Smelcer• Wednesday, 11:45, Microsoft Deployment Using MDT and SCCM, Chad Deguira

Incident Management• Wednesday, 11:00-Helpdesk Operations for Clients Without Admin Privileges, Bob Beane & 

Tim Guilliams

IT Modernization• Monday, 2:15-12 Months of Technology, Lara James

19 Managed by UT-Battellefor the U.S. Department of Energy

Questions