Is it common to allow local desktop and/or active directory admin access and rights for developers in organizations?

Here's one data point from a software company that has an interest in security. I know this is common in similar organisations.

There is a number of networks. They are physically separated and airgapped, run different colour-coded network cables.

Each employee has an 'administration' machine, which can connect to the Internet (via a proxy) for doing email etc. All users are strictly locked down, and there's strict device and access control.

In addition to this, each developer has an 'engineering' machine. This has full admin access, and the user can do whatever they like. However it is connected only to the engineering network (no route to the Internet).

In most software development contexts this could be seen as extreme, but in orgs that have conflicting requirements of high security and developer freedom, this is a common solution.

To answer your question, yes it is common to allow developers admin access, but this doesn't always mean admin access to a machine that could cause information security issues.


In my experience, it is common for developers to have admin access on their own machines. It is also common for them not to have admin access on their own machines. However, in the latter situation some accommodation is generally made so they can get their jobs done without too much friction.

One very common accommodation is access to a Hypervisor on the workstation (whether some version of VMWare or the Hyper-V that comes with Windows), along with the specific permissions needed to create and destroy VMs within that hypervisor as needed (Hyper-V/VMWare), including creating VMs where they have admin rights to the guest OS. Typically some of these VMs will be long-lived, even if they don't run all the time, where it's rarely a question of needing to prepare an entire VM from scratch just to do what should be a quick test for something that needs administrator privileges.

The Hypervisor may or may not be configured to allow internet access for it's VMs; I've seen it both ways, though personally I strongly favor that internet access should be allowed... at least for the types of development with which I have most experience. But internet access, when granted, can and should at minimum be configured to force VMs into a dedicated vlan, separate from the rest of the corporate network. I'm not sure this is possible to enforce directly via Hyper-V or VMWare, but you can use 802.1x on the ports for many network switches to prevent access to certain vlans from unauthorized machines, including devloper VMs. Then you can give a little tutorial to developers about how to set a vlan tag in a VM and let them know what vlan tags will be permitted on their switch port. I've also seen this enforced via training merely as a policy edict, rather than via technical measures, with perhaps the occasional friendly audit to encourage compliance and make sure devs know it's important.

And, of course, this coincides with providing developers with machines sufficiently powerful to run multiple VMs at one time.


I work for a fairly large investment management firm (~6000 employees) and developers are one of the groups that we approve for local admin access. We tell them not to install any software, as that is handled by local desktop/software compliance.

We also have a Developers AD Group that allows members to change the execution policy on their machines without requiring local admin.