I've found a lot of times that "the big boss" in a company want to be able to install "anything" and to do anything in their computer.
Of course we can tell him that it is bad because the IT system administrators lose control over the computer, and so on.
Any irrefutable argument to convince big bosses that it's better to not have administrator privileges on their desktop-computer?
The only time I was even a tiny bit successful on this was a boss who was willing to use run as with alternate credentials if he wanted to install something. I explained that even the sysadmins logged onto systems with normal accounts most of the time and then created him his very own admin account that he was only to use when he wanted to do something special. It was actually very effective, and kept his machine from getting totally screwed up in the two years that I was at the company. This was a relatively savvy CEO who was able to understand the whole run as thing, and I'm sure he had stuff on there I wouldn't have approved, but at least it stopped him from passively screwing stuff up.
Tell them they can have the same access that domain admins get, and then give them exactly that:
The idea is that the privileged account should be broken enough that it's less painful to stay logged in as a standard user most of the time; the boss will only want to use the privileged account when he really needs it. Big bosses almost always rely very heavily on access to e-mail and report systems, so if you can make accessing these from the privileged account a little less convenient you're in good shape. Half the time your boss will just forget the credentials anyway.
If this still doesn't satisfy them, then go ahead and hand out a full domain admin/root account, but still do it as a separate account from their normal working account — after all, they are the boss. Make sure the account is heavily audited. At this point, what they're often really looking for anyway is just an insurance policy or hedge against a rogue admin; they need to feel like the buck stops with them if it comes to it, and as long as they have a standard user account for their day to day work there's nothing wrong with this.
None, except to let them know it will take at least 3 to 4 hours to cleanup his computer when he's hopelessly hosed it up.
Just fair warning..
I only do contract work, so I do whatever my Customers tell me to or, if I really don't like it, I exercise the "bailout clause" in my contract.
With that in mind, most people have had some kind of "malware" experience today. I discuss with the Customer how malicious software that they run via browser bugs, etc, has all the same rights nad privileges as the user account they're logged-on with (including access to their email and their keystrokes, not to mention resources on servers).
Normally I get a question like "Why won't the anti-virus software take care of it?" We then have the "arms race" talk-- the one about how the malware people are downloading the same updates to anti-malware software that you are and engineering around the new "signatures", etc.
I top it all of by explaining that I use limited user accounts on all my computers (and have done so for years).
This is all it has taken me to convince users to run with limited-user accounts. In a few occasions I've had to let the user have a malware experience first (which invariably happens), but since my services typically come with a very clear indication of the related expense attached, it usually only happens once.
I generally create "Administrator"-level users as either local accounts or domain accounts (along with restricted groups policy to actually give the user account "rights"), depending on how many computers the user needs the access to. I make sure not to name it in any of the groups used by the day-to-day user account, and not to give it access to their Exchange mailbox. I want the "Administrator" level account to be as useless as possible for anything except installing software / drivers on their PC.
This strategy has saved me a lot of headaches and has saved my Customers a substantial amount of money. It takes "people skills" to have the conversations you need to have, and being a contractor certainly helps matters, but it's definitely a surmountable problem.
Unfortunately, there's not much you can do to the guy who is signing your paycheck. :-)
The best (practical) advice I could give you would be to make sure you have a good backup routine in place for his system and let him go hog wild. LOL
It really boils down to this:
SOMEONE has to be in the driver's seat. Its his company so clearly he's the boss. The best you can do is ADVISE him as to the best course of action (with anything) and then let him make an "informed decision". If he doesn't go with your advice... and there's a screwup... its HIS fault for not listening.
If he DOES follow your advice and there's a screwup... its still HIS fault because HE made the decision. Remember, HE'S in the driver's seat.
Now... this will get you some weird looks from time to time... even a chuckle or a laugh.
But sure to explain that THE DIFFERENCE is... your clean up YOUR messes (for free) and do your very best to resolve the situation. The other he pays you to clean up and you reserve the right to "preach" at him for 5-10min and he agrees to listen.
Try to keep it on the FUNNY side.
I've never had a problem explaining this logic to a business owner. Most of them already know it. Its just fun to explain it in blunt (yet gentle) terms. ;-)
Instead of trying to convince him that he is wrong, perhaps you should try and find some way to compromise. Perhaps allow him to run a copy of VMware with a guest vm he can go wild on. Try and give him the ability to accomplish what he thinks he needs to do in a way that will still leave him with a stable managed system.
Really, you probably need to make the business case that he can either have a computer that is reliable and that can be restored when it fails or he losses his computer because you know exactly what is on the system and how to fix it and where all the media is. Or he can have a computer that he is responsible for, and when the computer gets broken, you cannot guarantee that you will be able to do anything other then format+reinstall.
Try and communicate the risks and what you do, and try to reach a compromise. Consider setting up a VM, or a dual-boot setup or something that allows him the flexibility he needs/wants, but still lets him have a stable system.
Tell him that he should really set the example the rest of the company should follow.
If he starts to "customise" his (worst case) laptop with "internet downloads" then his Director for Sales will, the Finance Director will, the Assistant Sales Director will, the Sales guy's will, the technicians will, customer services will etc etc.
Then, explain that a) the risk to the BUSINESS INFRASTRUCTURE is increased (fancy finding all your customer and order information on the internet), b) sets a slack security and professionalism culture in the organisation, and c) cost a lot more in support and reduced reliability.
If he wants a play machine, then let him do it on his own PC but a business PC / Laptop / Equipment is for business purposes.
It's a grown up thing...
I don't understand the one-sidedness of the answers here. The big cheese gets what the big cheese wants.
Will a non-technical executive get into some trouble of their own making?
Maybe -- but look at that as an opportunity to get a first hand ability to show off your abilities and get some facetime with the guy signing the checks. Giving a talented young admin exposure to the CEO is a great way to give the kid facetime and makes the promotion process easier... "Remember the guy that saved the day last month..."
Or you can take the grumpy, by-the-book approach, piss off the CEO and give your boss heartburn.
I totally sidestepped the issue and bought the CEO a very expensive very high end (at the time) Mac workstation with a huge studio display. He loved the exclusivity, I loved the fact that there was a little bit less trouble he could get in to. I maintained the ability to ssh in and run top just to keep an eye on things. Luckily he was not a laptop guy.
Tell him that very few Hospital Bosses perform Brain Surgery or any Surgical Procedures for that matter.