What's the most ridiculous IT policy you've come across

moycullen14

Having shocked people with my 'no linux' story in the dev tools thread, I though a thread dealing with insane IT policies might be fun.

So, what crazies have you seen?

A place I was at in the UK a few years ago had a 'no open source' policy. No amount of explaining that this was insane would do. Some corporate muppet had decided that it was OS was bad and that was the end of that. It was a lot of fun re-implementing apache commons though :-)

endacl

Can't access YouTube in the classroom. On teacher's id/login.

fl4pj4ck

To be honest OP, nothing in your stories seems unreasonable from IT point of view.

PrzemoF

fl4pj4ck wrote: »

To be honest OP, nothing in your stories seems unreasonable from IT point of view.

Banning the whole open source software is like banning software that has "Z" somewhere in the name.

Creamy Goodness

A couple from when I was contracting:

To install some software (was the xcode command line tools - that you need to run certain build commands) needed for their job a software developer had to 'send a ticket', due to it not being labelled as 'critical' the guy was there waiting for two ****ing days.

No open source policy came up a bit too.

fl4pj4ck

PrzemoF wrote: »

Banning the whole open source software is like banning software that has "Z" somewhere in the name.

Because you say so? Anything to back it up? From my point of view, and I've been working in IT sector for last 15 years it seems pretty reasonable. You can't have every John and Mary install crap on corporate machines because they feel like it and "ya know, it's free". Who is going to look after those machines if not IT? Who is going to pay for IT's time?

stevenmu

It's reasonable to have controls around the installation of software, who can do it and what software can be installed. But simple blanket banning of all open source software is not reasonable.

TrueDub

fl4pj4ck wrote: »

Because you say so? Anything to back it up? From my point of view, and I've been working in IT sector for last 15 years it seems pretty reasonable. You can't have every John and Mary install crap on corporate machines because they feel like it and "ya know, it's free". Who is going to look after those machines if not IT? Who is going to pay for IT's time?

Open source, not free software.

Banning things like using the spring framework, or Maven, or Tomcat.

fl4pj4ck

Car to answer why is that? From IT perspective blanket banning everything but required software is a great idea. It keeps the cost of maintenance down, increase productivity (i.e. work instructions, training etc.) and minimizes potential disasters

fl4pj4ck

TrueDub wrote: »

Open source, not free software.

Banning things like using the spring framework, or Maven, or Tomcat.

Now you're being very specific. I don't see anything unreasonable with banning Spring/Maven or Tomcat in a n Accountancy firm.

mad turnip

increase productivity

What?

You would be forced to write so much more of your own code to do what another open source applications already achieves, you would literally spend 100x times more time on stupid tasks that you could use open source software for.

syklops

fl4pj4ck wrote: »

Car to answer why is that? From IT perspective blanket banning everything but required software is a great idea. It keeps the cost of maintenance down, increase productivity (i.e. work instructions, training etc.) and minimizes potential disasters

Quis costodiet ipsos custodes?

It depends who chooses what the required software is and is not. If they have a good, well rounded knowledge of all IT functions in a company, then great. If not, well, it could have costly consequences.

No Open Source, so no putty. How do you connect/configure routers and switches? No Apache, so now you need to go and buy Windows and IIS for your webserver and transfer the content.. Id love to see the look on the managers face when you tell him you have to get rid of all the new Smart TVs, because they run linux and contravene the no Open Source policy.

percy212

Locked down desktops for developers. No installation of anything of any kind other than standard tools. Dropped fairly quickly........

moycullen14

fl4pj4ck wrote: »

Car to answer why is that? From IT perspective blanket banning everything but required software is a great idea. It keeps the cost of maintenance down, increase productivity (i.e. work instructions, training etc.) and minimizes potential disasters

Yeah but it's not about keeping 'IT' happy. This is where I have a problem with trying to develop in non-core companies. IMHO IT or sysadmin, really all management, is there to facilitate and help development. You just don't get that attitude in non development organisations. If a company is happy to have me wasting time, fighting useless policies and re-inventing the wheel then they don't value what I'm doing and I don't want to work there. Simples.

Sparks

Kinda hard to answer this one without risking breaking NDAs.
Which sortof is an answer in and of itself I suppose
I think perhaps the daftest one I've seen that I can talk about was the policy (from quite a while back but not so far back that subversion didn't exist) that we could only work on the production server after business hours.


Please note, I didn't use the word "deploy" there...

moycullen14

syklops wrote: »

Quis costodiet ipsos custodes?

It depends who chooses what the required software is and is not. If they have a good, well rounded knowledge of all IT functions in a company, then great. If not, well, it could have costly consequences.

No Open Source, so no putty. How do you connect/configure routers and switches? No Apache, so now you need to go and buy Windows and IIS for your webserver and transfer the content.. Id love to see the look on the managers face when you tell him you have to get rid of all the new Smart TVs, because they run linux and contravene the no Open Source policy.

But it does happen. Linux? No, use HP-UX or AIX. Apache? No, websphere. MySQL, no ORACLE. God, the money people waste on crap is unbelievable.

If it was coming out of the IT director's pocket, you'd see proprietary stuff dropped like a hot potato.

DublinWriter

moycullen14 wrote: »

MySQL, no ORACLE.

Oracle own mySQL...delicious ironing.

Sparks

moycullen14 wrote: »

Yeah but it's not about keeping 'IT' happy.

In fact, "IT" is the wrong department. In our case it's called "Business Controls" and unless you just felt the room get colder and saw the colours fade a little, you don't have a full understanding of the problem. The running joke is that they're not so much employees of the company as they are the Auditers from the Discworld novels.

In other words, we're not talking about a bunch of sysadmins here with odd ideas and no sensible oversight, we're talking about a group of people handed a large wodge of rules (often dozens of pages worth) by Legal (and yes, all the colour just faded out completely when you said that) and who are responsible for implementing those rules and failing to do so means some nasty chats with HR (blind yet? You should be, it's for your own protection...)

syklops

moycullen14 wrote: »

But it does happen. Linux? No, use HP-UX or AIX. Apache? No, websphere. MySQL, no ORACLE. God, the money people waste on crap is unbelievable.

If it was coming out of the IT director's pocket, you'd see proprietary stuff dropped like a hot potato.

Im not saying it doesnt happen, of course it happens and is an excellent mention for "ridiculous IT policies".

No linux, but you can use AIX? I think Id cry.

No, as another poster said, I simply wouldnt want to work there.

Funny how AIX got a mention. Was working securing AIX servers. Was asked to get the patches installed on 50 servers. Fine, says I, I'll bash out a quick perl script to connect to each server run the command and save the output in a report, be done today says I.

No. Its a policy to only allow senior admins write scripts. Everything else must be done manually.

50 servers. I told them with that number of servers it is mathematically certain I will mistype something or make a mistake, a script will do the same thing each time. Sorry they say, thats the policy.

I didn't last there very long.

GreeBo

No external drives/USB keys allowed so we cant steal data.

Though we are all told to bring our laptops home every night for business continuity purposes...

DublinWriter

What's the most ridiculous IT policy I've come across?

Outsourcing.

Full stop.

TonyStark

DublinWriter wrote: »

What's the most ridiculous IT policy I've come across?

Outsourcing.

Full stop.

Yay! Let's hire some consultants in.... What could possibly go wrong.....!?

Risk is managed...oh wait they've gone bust.

DublinWriter

TonyStark wrote: »

What could possibly go wrong.....!?

You mean something like the IT staff who are about to be reassigned to the outsourcing company under reduced pay and conditions suddenly finding that the CEO is accessing porn on his company laptop and going public with it?

Nah...that would never happen *cough*

TonyStark

DublinWriter wrote: »

You mean something like the IT staff who are about to be reassigned to the outsourcing company under reduced pay and conditions suddenly finding that the CEO is accessing porn on his company laptop and going public with it?

Nah...that would never happen *cough*

More in the context of being left shovel the **** of the Celtic Tiger ebbing and seeing some atrocious consultancy work.. I'll save it for the bad code thread.

BrokenArrows

Our IT department insists on leaving Symantec Endpoint configured in such a way that it updates the definitions multiple times a day during business hours. Which is oh so fun as it downloads a 700+ MB updates 4+ times a day, processes the definitions and runs a system scan after it does the update.

I checked the IO byte count of the update process on my computer which has been running for 20 days. The byte count was at something like 17 terabytes. That's insane and that's not even counting the virus scanning which occurs under the windows System process.

PrzemoF

fl4pj4ck wrote: »

Car to answer why is that? From IT perspective blanket banning everything but required software is a great idea. It keeps the cost of maintenance down, increase productivity (i.e. work instructions, training etc.) and minimizes potential disasters

You're nicely mixing "open source", "free software", "free, but no source" and "everything, but required software" together. Controlling what is on a PC is one thing and simply banning software because it's open source is another.

moycullen14

PrzemoF wrote: »

You're nicely mixing "open source", "free software", "free, but no source" and "everything, but required software" together. Controlling what is on a PC is one thing and simply banning software because it's open source is another.

Very true. I wouldn't mind IT departments controlling what is on machines if they didn't do such a half-a**ed job of it. As a contractor, it would be great to have a complete, up-to-date machine with all the software I require on it AND have it working.

I don't know how much time I've wasted over the years manually configuring stuff that just doesn't work.

fl4pj4ck

PrzemoF wrote: »

You're nicely mixing "open source", "free software", "free, but no source" and "everything, but required software" together. Controlling what is on a PC is one thing and simply banning software because it's open source is another.

No I am not. You don't seem to realize that allowing or disallowing certain software to be used is ultimately a business decision. What a business needs is a set of tools to accomplish certain range of tasks. Decisions needs to be made regarding availability of these tools, the cost of them being introduced and cost of the IT infrastructure being maintained. And it has nothing to do with what employees are thinking is the most productive. It's the business decision when case studies are performed.

Also all processes have to be documented to certain extend, to achieve certifications as ISO. To be compliant with those, a company cannot simply allow employees to use whatever tools they like.

You on the other hand seem like open source evangelist with a little or no knowledge of what impact it has on business or business improvement process. Allowing people to use whatever tools they want is only asking for trouble and will ultimately lead to disaster.

As you failed to provide any evidence of why using open source software is beneficial and should be allowed without any if's and butt's, I will refrain from further posting in this thread.

stevenmu

I think you're missing the point. Yes, it can be important to have governance and controls around what software gets installed. And it's very reasonable that organisations will have a procedure to decide what software gets selected that will have a number of factors.

But ruling out open source entirely doesn't help that in any way. The only difference it makes is artificially limiting what choices of software are considered. Lets take a quick and simple example:


Suppose a team (it could be a team of developers or any other team) decides they want to build an internal knowledge base. Requirements get analysed, business cases get drawn up, change requests get made and risk logs get signed off on. It's decided as part of this that a Wiki is the best way to let everyone contribute and manage it. It gets approved by everyone who needs to approve such things, a preliminary budget is granted, everyone gets excited, it's going ahead, new software is going to be deployed and nothing can stop it now. All that needs to happen is to decide what Wiki software to use.

Now I'm not hugely familiar with many Wiki engines, but afaik the two best are MediaWiki and TikiWiki, both of which are open source. The only closed source one I'm aware of is built into SharePoint, and as much as I love SharePoint and think it should be used by everyone, it's Wiki functionality isn't the best out there and if that's all you're interested in then it's also complete overkill.

Now if open source is ruled out automatically you are straight away ruling out the two best options available to you and insisting on a solution with less Wiki functionality. And SharePoint is certainly not going to require less training, support or management than a simple open source Wiki engine running on a LAMP or WAMP server. Ruling out open source has not helped in any way, and in fact just made things slightly worse.


And fwiw, I'm not an open source advocate. I rarely use open source software, I work almost entirely within the Microsoft stack and regularly argue the benefits of Microsoft based solutions over open source ones. But, I also believe in the right tool for the job.

PrzemoF

fl4pj4ck wrote: »

To be honest OP, nothing in your stories seems unreasonable from IT point of view.

That's about open source.

fl4pj4ck wrote: »

Because you say so? Anything to back it up? From my point of view, and I've been working in IT sector for last 15 years it seems pretty reasonable. You can't have every John and Mary install crap on corporate machines because they feel like it and "ya know, it's free". Who is going to look after those machines if not IT? Who is going to pay for IT's time?

That's about free software

fl4pj4ck wrote: »

Car to answer why is that? From IT perspective blanket banning everything but required software is a great idea. It keeps the cost of maintenance down, increase productivity (i.e. work instructions, training etc.) and minimizes potential disasters

That's about "anything, but required software"

And you say: "I'm not" [mixing]??

fl4pj4ck wrote: »

No I am not. You don't seem to realize that allowing or disallowing certain software to be used is ultimately a business decision. What a business needs is a set of tools to accomplish certain range of tasks. Decisions needs to be made regarding availability of these tools, the cost of them being introduced and cost of the IT infrastructure being maintained. And it has nothing to do with what employees are thinking is the most productive. It's the business decision when case studies are performed.

Also all processes have to be documented to certain extend, to achieve certifications as ISO. To be compliant with those, a company cannot simply allow employees to use whatever tools they like.

You on the other hand seem like open source evangelist with a little or no knowledge of what impact it has on business or business improvement process. Allowing people to use whatever tools they want is only asking for trouble and will ultimately lead to disaster.

As you failed to provide any evidence of why using open source software is beneficial and should be allowed without any if's and butt's, I will refrain from further posting in this thread.

Great! Here you go: A couple weeks ago I used gimp (yes, that open source image manipulating software) to save a project for a _huge_ client. It got included in the official procedure for that project. Gimp saved the bacon and we managed to get everything ready before the deadline. Gimp was used to fill the gaps in proprietary software functionality.

No way I could do it without open source. Getting photoshop licence approved would probably take me a week or more as I don't use any image processing software on daily basis.

I never said that open source software should be used without any restrictions just because it's open source and you never proved that open source software should be banned in certain situations just because it's open source.
/rant mode off

croo

re: Open Source
I think the point people are making is not that everyone should be allowed to install & use whatever software they ant but that software should be excluded from the list of prescribed software based on the fact that you have access to the source code. It anything it would make more sense to me for the opposite to be the de facto stance.

From my own experiences. It wasn't an IT Policy as such but the strangest request I was ever given was...

Long time ago, in a land far far away, I was tasked with defining an interface between a mainframe application I maintained and a vax based system in a subsidiary company. After some time defining the structure & data (records & fields etc) of the interface, I asked what form the interface might be, e.g. tape (tape would have been the norm at the time … I did say it was long long ago!!) or an file transfer, batched or real-time etc.
"Printed", was the answer, "Printed... on paper."
My counterpart maintained it would be cheaper to hire a room full on “data entry clerks” to (re)enter the data by hand than get a coder to write a load program!?
Needless to say I was pretty astounded - but that’s how it was done!!

That was probably the craziest thing I ever was asked for but there are other things close behind.

syklops

To be compliant with those, a company cannot simply allow employees to use whatever tools they like.

No-one on this thread is advocating a free for all when it comes to installing software. The point numerous posters have made is banning all Open SOurce software is like banning all software with a specific letter in the title. It is arbitrary and poor business practice in a modern organisation.

j8wk2feszrnpao

If the argument been made by someone is to ban all Open Source on the basis that it is Open Source, then that is irrational.
There are huge benefits to some Open Source and it doesn't come with risk attached.
As in most cases, it should be evaluated and then a business decision made.

I just wish that people would reference their IT policy before they come to IT to implement a solution (often with new equipment/software already purchased) that conflicts with the IT policy of the business.

jester77

In 15 years of working I've never come across any silly policies. Usually have the choice of OS and I could install what I want. Never heard of anyone FUBARing their machine because of it.

cython

fl4pj4ck wrote: »

No I am not. You don't seem to realize that allowing or disallowing certain software to be used is ultimately a business decision. What a business needs is a set of tools to accomplish certain range of tasks. Decisions needs to be made regarding availability of these tools, the cost of them being introduced and cost of the IT infrastructure being maintained. And it has nothing to do with what employees are thinking is the most productive. It's the business decision when case studies are performed.

Also all processes have to be documented to certain extend, to achieve certifications as ISO. To be compliant with those, a company cannot simply allow employees to use whatever tools they like.

You on the other hand seem like open source evangelist with a little or no knowledge of what impact it has on business or business improvement process. Allowing people to use whatever tools they want is only asking for trouble and will ultimately lead to disaster.

As you failed to provide any evidence of why using open source software is beneficial and should be allowed without any if's and butt's, I will refrain from further posting in this thread.

Funny that that last sentence tends to be most often used by posters when they are fighting a rapidly losing battle......

It really isn't rocket science to understand the conversation though:

1. Blanket ban on open source software? Bad!
2. Carte Blanche for open source software? Also and equally bad!
3. Considering a piece of software (either a tool or a library on which to build additional code) based on its merits and the requirements and making an informed decision? Bingo!

As it happens, the company within which I work has a requirement that any dependency libraries used must be open source, as that way if we find a need to extend them or if the maintainers cease maintaining them we have the option of developing them ourselves. We do have criteria as to which licenses are acceptable, and there is a review process before a brand new one will be accepted, but we would be utterly hamstrung if there was a blanket ban on OSS in house, and a lot of the development work would have been massively slower over the years.

beauf

IT policy. IT Development policy. Not the same thing.

COYW

'No open source' is common enough from my experience, particularly in corporate environments.

ethernet

This is in a large multinational...

Devs needing to request and justify admin rights every few months.

Having to create tickets for the simplest things, like a replacement mouse.

Tiny limits on inbox sizes (no server-side processing allowed)

Excessive web filtering - a lot of solutions to problems are blocked!

Not having full access to your own dev database - having to create tickets and format SQL to a certain line length for the script monkeys to execute it hours/days later.

And more!

COYW

ethernet wrote: »

This is in a large multinational...

Devs needing to request and justify admin rights every few months.

Having to create tickets for the simplest things, like a replacement mouse.

Tiny limits on inbox sizes (no server-side processing allowed)

Excessive web filtering - a lot of solutions to problems are blocked!

Not having full access to your own dev database - having to create tickets and format SQL to a certain line length for the script monkeys to execute it hours/days later.

And more!

I have to say that none of the above are unusual from my experience. It slows things down massively alright but the points you list above are facts of life in a large company. On the web filtering, I looked on that as a challenge and I had great fun finding ways around it.

DublinWriter

PrzemoF wrote: »

No way I could do it without open source. Getting photoshop licence approved would probably take me a week or more as I don't use any image processing software on daily basis.

One of the classic issues with IT management/governance has always been the ever growing chasm between the in-house IT function and the business process it serves.

Typically most in-house IT functions can't keep up with the requirements of business. Even with the rise of Agile, most IT departments still want to seal processes and data models in aspic and like to deny the realities of an ever changing business-environment.

People tend to forget the the whole PC revolution was driven on the back of individual business departments using PCs and Lotus 1-2-3 in the late 1980's, purchasing the same outside of official IT Department sanction. If it wasn't for this end-user driven revolution most people in IT would still be loading mag-tapes and running batch jobs.

Diemos

On a previous job in a large financial institution, one of the applications I supported, a major risk was flagged up during an audit (which it had passed every year previous) because the application used an administrator account called "administrator". As instructed I contacted the vendor and asked them if we could rename or remove the administrator account.
I was told no, the account was critical to a number of jobs within the application and the vendor provided me with said list of jobs.
So I was instructed to create an alternative admin account under a different name for all those process "administrator" was not required for.
Effectively doubling the risk! I tried to explain this but I was told by management to just do what they requested so they could close the risk.

I do not miss audits.

beauf

DublinWriter wrote: »

O...Typically most in-house IT functions can't keep up with the requirements of business. Even with the rise of Agile, most IT departments still want to seal processes and data models in aspic and like to deny the realities of an ever changing business-environment....

Oddly enough if you make the business fund their ever changing IT aspirations out of their own budget, rather than the IT budget. There doesn't tend to be any gap. Letting the business units, have a little adventure with outsourcing, with their own budget, also tends to bring a difference sense of reality.

Boskowski

COYW wrote: »

I have to say that none of the above are unusual from my experience. It slows things down massively alright but the points you list above are facts of life in a large company. On the web filtering, I looked on that as a challenge and I had great fun finding ways around it.

These things may be facts of life in a corporate environment but do they always make sense?

It some sort of contradiction really. On the one hand they trust you to develop and run their stuff and be trustworthy and diligent and the people are in fact more or less the sole asset an IT organisation has. And then on the other hand they seem to assume you are a potentially criminal liability half the time so they put you in a straight jacket while doing your job.

Its not what Im doing right now but I'd take a small organisation over a big corporate every time. There is a fine line between sensible red tape and bullsh1t risk management paranoia and risk managers tend to err on the side of caution.

jdee99

Used to run a site in the UK (10 servers 750 workstations and clapped out network) and we banned USB, Floppy and CD access. IF I could have had my way I would have severely locked down internet access. Company policy was no charging of USB devices so every time someone plugged a mobile in to charge it up the got a face to face with the security people. Only coding that could be done was by the admins, no installation of any software other then what was preauthorised - and the amount of stuff we disabled via registry was unreal. The workstations literally were used for writing reports and presentations, internet browsing and that was about all they were allowed.

The Corinthian

COYW wrote: »

'No open source' is common enough from my experience, particularly in corporate environments.

Blanket bans on open source in large organizations tend to be driven by a combination of snobbery and paranoia.

The former comes from the presumption that for something to have value it must be ridiculously overpriced - Oracle's business model... actually anyone who's worked as a consultant will understand this.

The latter is because with open source there's no control on what's in the code and security consultants will correctly advise that there may be security implications when you install open source software, at which point who's responsible? Who do you sue? It's unfortunately like running something past a legal department; 99% of the time they'll say that there are legal implications to doing something. Doing anything.

Basically from a security point of view, just as a legal one, there are always potential implications, no matter how unlikely, and whoever is giving a recommendation will want to cover their ass.

However, there's also good reasons to ban open source software, at least some open source software. Firstly there's the licence question - there's dozens of different open source licences out there, and what you can and cannot do with the software depends upon this. A simple example is incorporating GPL-licenced software into your company's software product. The moment you do, you have to open up your source code, which isn't a good idea if you want people to pay for it.

A second problem with open source, which you realize over time, is that as a system it has it's flaws and limitations. Anyone who's ever been involved in an open source project will have come across CV-padders, developers who are only 'volunteer' to the project because they want an extra line in their CV. Often they're unreliable or will submit sub-standard code and then who will review it? Other volunteers who could be just as flaky.

And will the project be supported in six months? A year? Two? SourceForge is a veritable graveyard of abandoned projects, with no one to support them.

So while a blanket ban is a bit OTT, I can see where they're coming from much of the time. Without a blanket ban, each software component would have to be assessed on the above criteria at least - every single tiny library that a developer finds on Google - and there are resource implications to that.

Calina

Most of my issues are hierarchy driven. Not being allowed software essential to my job because - "not everyone gets that you know".

syklops

jester77 wrote: »

In 15 years of working I've never come across any silly policies. Usually have the choice of OS and I could install what I want. Never heard of anyone FUBARing their machine because of it.

Where is this utopian place you are working?

jester77

syklops wrote: »

Where is this utopian place you are working?

It probably stems from the fact that most of the companies I've worked for are either startup type companies or working in social media. I've worked for some major multinationals, but even they didn't have any silly policies. Anywhere I've worked developers are free to do as they please (within reason of course) and they are responsible for keeping their machine working and not installing unlicensed software. Otherwise it would be back to IT and the default dev image would be put back on the laptop.

I know that other departments have their machines locked down, but it makes sense. Devs need free reign and are technically apt to know what they are doing.

I have heard of ridiculous policies in other companies like PCs being so locked down that QA teams have to fight to install browser updates to test their platform.

syklops

jester77 wrote: »

It probably stems from the fact that most of the companies I've worked for are either startup type companies or working in social media. I've worked for some major multinationals, but even they didn't have any silly policies. Anywhere I've worked developers are free to do as they please (within reason of course) and they are responsible for keeping their machine working and not installing unlicensed software. Otherwise it would be back to IT and the default dev image would be put back on the laptop.

I know that other departments have their machines locked down, but it makes sense. Devs need free reign and are technically apt to know what they are doing.

I have heard of ridiculous policies in other companies like PCs being so locked down that QA teams have to fight to install browser updates to test their platform.

So you were a dev in companies that value devs. An enviable position to be in.

jester77

syklops wrote: »

So you were a dev in companies that value devs. An enviable position to be in.

I think it comes down to choosing roles carefully. It's easy enough to get an impression of policy during an interview. Development methodologies is something else that I also look out for. In 15 years I've never worked in a waterfall project. I've only ever worked in agile teams, XP, scrum & kanban. Maybe there is a link there between waterfall methodologies and strict IT corporate policies. I would say that companies practicing Agile methods are more likely to have a more flexible IT policy.

beauf

I've only worked in a fully locked down environment once as a contractor. Where I am now USB devices are blocked and some user groups have locked down desktops, no admin access to the their machine.

I'm not sure I can pick an official IT policy I disagree with in any place I've worked. Business and development policy and practise certainly. Usually people tackle the symptoms of a problem not the root cause. Band aids etc. Which then has a knock effect from that point onwards.