Administrator Advice

I'd like to ask the community for help and advice regarding a situation at my place of employment. I'm understanding of the need for security from an IT perspective and how they don't want anyone having administrator accounts or free access to that type of control.

Problem is for controls and automation engineers...you need it for the majority of your job...and my IT branch in particular is iron fist, don't care, nobody gets it. Long story short, I'm having to prove why I need it (where I used to have it and now have lost it strictly because IT says take it lol). In the controls field, we all just understand that down to communications, the very nature of the way these software's are built...they need admin to operate cleanly. Some software's even hiccup and chug without it trying to process certain functions. When you call Siemens, Allen Bradley or Emerson...if you're not running admin they practically don't even want to deal with you until you do.

The question I have for the community is this...how do I prove why I need it in a convincing manner? How do I help IT understand the need? Has anyone else ever dealt with this...do you have any good resources or supporting documentation that may help them understand (legitimately, we all know the jokes here lol)?

I know Siemens documentation for one lists admin needs and permissions, they have a section for it. I haven't checked with other brands yet but my goal is to amass as much proof, professional documentation, aids and resources as possible to prove why this is needed and you cannot just parse features out. So I'd like to ask the PLC community, do you have any documents or resources that may aid my cause in this battle or have any advice outside of tuck your head in sand, it's impossible (because I know it feels that way sometimes!).

Thanks for any input, always appreciated. I know you guys understand my pain in this matter.

This is tough. There needs to be a balance between security and getting the job done. After all, if you cannot do your job and keep the product going out the door, then none of you have a job. Unfortunately the roles get flipped. You are IT's customer, not the other way around.

There an a lot of Rockwell KB articles that list admin rights and minimum UAC setting as solutions to making their software work. Many of the crashes and/or failures in their software is due to admin rights. Find the KB articles and pass them along. Maybe you could reach out to your local Rockwell reps, or distributor to help convince your IT.

At my work, we solve this problem by having a non-IT sanctioned PC for doing controls work, that can't ever be connected to the main company network/VPN/etc. Some of us still have IT laptops, some of us have an IT sanctioned encrypted VM (used with a wifi dongle).

In theory, secure/internal data never leaves the company sanctioned space, and it lets us do what we need to do.

Yes, thank you dmroeder. That is essentially the path I'm on is looking up these KB articles, Siemens documentation, reaching out to distribution networks and other integrators to source any kind of documentation I can that aids my battle against this.

I understand the IT concern and need...I suppose I have to educate and find common ground to operate from or a way forward in our network architecture. Should be interesting to say the least!

Yes mk42, that is probably part of the truth. We're still overhauling our network to VLAN and separation of IT/OT side of things. It probably is that we need to structure it in a way where the equipment, all the PLC racks, Wonderware server is off our domain on an isolated network or firewalled in a way we can operate freely but still access the data we need when on the IT side of things.

I'm not positive exactly what that entire structure looks like just yet but I do have ideas about it. I think that is the forced negotiation and method this will have to lead to. It's just going to be very painfully achieved production wise as problems come up until such a system is in place

ZestyMozzarella said:

Yes, thank you dmroeder. That is essentially the path I'm on is looking up these KB articles, Siemens documentation, reaching out to distribution networks and other integrators to source any kind of documentation I can that aids my battle against this.

I understand the IT concern and need...I suppose I have to educate and find common ground to operate from or a way forward in our network architecture. Should be interesting to say the least!

Click to expand...

ID: BF22139 | Access Levels: TechConnect
ID: BF11947 | Access Levels: TechConnect
ID: QA41035 | Access Levels: TechConnect
ID: BF19575 | Access Levels: TechConnect

Just to name a few. And there are endless articles about editing the registry. You just have to make a compelling case that we all have the same goal, to make ourselves profitable, we have to work together with that goal in mind.

There also should be an honest conversation on what exactly we are trying to protect against. For one of our customers, IT won't even let them change their IP addresses on their machine. So they have computers designated to for certain subnets. That strikes me as a level too far. Controls guys need to access network resources, they need to get machinery up and running.

Maybe invite them out to the production floor to see what you guys are really up to.

Last thing I'll say, I find that people will go to the extreme because of one wild instance that they either experienced, heard 3rd hand or complete dreamed up. For example, one guy was visiting sites he wasn't supposed to, so lock down the internet. Deal with the one guy, not punish everyone because of it. Everyone has a cellphone. Preventing me from accessing the internet to download a firmware is not going to work.

In my experience its not the IT guys you need to convince. Their mind is made up and they look at all computer users the same. Ignorant saps who bug them when they can't print or their sound isn't working.

You have to get their boss's attention and to do that you need to feed the right information to your boss. Let the big bosses slug it out. Have the KB articles, procedures etc. ready but what will convince them is how production will suffer if you have to call an IT guy every time you need to update some firmware.

Yes inviting Corporate IT to our site might not be a bad idea. I can't even make an IP change right now, it's blocked LOL. It's real bad...not much I can get done to systems. If something went down in a major way and IT isn't usually available on site, we're sunk. Big dollar losses...though sometimes I think that would help them understand the need real fast

That is just it though, I'm trying to find anything I can to culture an honest conversation about the need, for operations, for the businesses success, etc. Doing what I can to lead that conversation and culture an understanding for all our sakes. Hopefully we can reach a mutual understanding.

I did some preliminary work on a robot welding cell to get it ready for a vision system to be added.


When the tech from the vision company (don't know which one) got to the factory he couldn't connect his laptop RSLinx to the ML1500.


Their maintenance called me and I tried to guide him step by step on how to get his DF-1 driver talking to the ML, but it kept popping up that COM port could not be opened. I told him to open DeviceManager and see what COM number was assigned to his USB serial adapter and he said it popped up an Administrator password.


Then he asked ME what the password was to his computer. I told him that the owner of that computer would be the one to ask. He left without completing the job and came back about a week later knowing the password to his laptop.



Fortunately for me the couple of shops I worked at I was able to use my own personal, and much more reliable, laptop and leave their "User Account" laptop alone.

if your employer is fighting you on this then it's clear that they fight you every step of the way
my advise is speak with your feet and find anothe job and leave
if you are good at what you do they will regret their decision and try to get you back
either way if you are not happy where you are move

GaryS said:

if your employer is fighting you on this then it's clear that they fight you every step of the way
my advise is speak with your feet and find anothe job and leave

Click to expand...

The last shop I worked at had so many problems I emailed the bosses a Terms Of Employment they had to agree to (and every single line item in it) in writing or I left.


I now work on my own and have rejected a few offers from them to return - just not with my terms.

These things sorts themself when production boss asks why the machine isnt running and you say you cant access the control system due to IT policy.

Depends a bit on what role you have, really.

If you're a plant engineer, simply request the purchase of two laptops (one spare) that will not be connected to the IT network and are wholly managed by you. This is nicer in the sense that you're also not liable to scratching your head over some little mod or update that was forced down by IT.

If you're on the developer side, then usually pointing at how that affects the client and bottom line is best to get IT pushed aside. On the last developer role I had, IT decided to install a tracking software in the laptops that removed permission to where Step7 saved project files. We only used Step7 and all of a sudden couldn't archive, retrieve or delete projects from our folder. A little bit of digging and we found the culprit (the tracking software) because it was only installed whenever we hooked up to the office network. The way around it was quite simply send a message to the Engineering manager pointing out that we can no longer follow the standard to archive/retrieve projects in the company's source control database and as such this won't be done. One week later and the software was gone (him too was none the wiser about it).

Honestly, IT has been a big part of me quitting some jobs over their stupid behavior (usually thinking they're the bread winner when indeed they're a supporting function). The worst was one idiot that wouldn't even let me have a laptop that would not connect to their network for troubleshooting (in the middle of the effing sea). When we finally got some nice toughbooks he screwed them up by installing the vanilla Lenovo OS that IT installed in every Lenovo laptop (not even the network ports worked). All because we can't have unsupported OS's onboard...

It was hilarious to send him and his technician (2 years down the line) the same email saying that XP cannot be used in our facilities in reply to his technician wanting one of our XP laptops because it had hyperterminal for some UPS troubleshooting. LOLOL No, we did not have an XP laptop... LOL

I asked for a Siemens Field PG and was told categorically no because of the price.
I asked for a laptop that's not locked down by IT and was told that's not happening.
So I got the locked down laptop and I made a call to IT every single time I had to install anything. Some bits of TIA Portal can take up to an hour to install. After enough of these calls I politely asked what the process was to apply for admin rights so that I didn't have to waste their time again and it was sorted out on the spot.

The only thing I can't do now is registry stuff, which includes changing COM port designations and can be a pain as I've found some older software will only talk to COM1.

Puddle said:

I asked for a Siemens Field PG and was told categorically no because of the price.

Click to expand...

I've had one offered by Siemens. I too would not buy a Field PG.