nicole pauls congrats on the little one!
I think I am going to have to agree with aaron.damyen on this in that granting users granular permissions so that they can do what they need is the best option. Normally users have reasonable frustrations and as long as they have the ability to do what they need, they won't be frustrated to the point of taking action to steal passwords and root systems. In short; provide a path of least resistance for your users so long as it's within reason. At the same time I think there needs to be a zero tolerance policy when it comes to employees engaging in such activities as stealing passwords and rooting systems.
