I am an IT auditor and have a client that is currently using the same (local) Administrator password for ease of use of administration on all company desktops and laptops. Obviously this is a poor solution for security and accountability on the networks (see my last question: http://experts-exchange.com/Security/Win_Security/Q_21060579.html
, so I've suggested that a "desktop admin" network group be created, that tech support individuals be added to this group, and that all desktops/laptops be configured to include this group in the local Admininstrator group on each desktop/workstation. The Admininistrator password should either: 1. be set the same for all desktops, known by only one person (who doesn't use it except in emergencies), and written down in a sealed envelope placed in a locked safe; 2. set differently for each desktop and stored in a database that logs access to the password for each machine and requires that password to be changed thereafter.
The client has agreed to do #1 above, but pointed out a conflict. What if a workstation (desktop/laptop) in need of tech support can't access the network because there is a problem with the network card/configuration or because the user is working remotely (users aren't admins on their own machines)? If the user is at the corp. office, I suppose the one person that does know the Admin password would have to log into that machine to make the necessary configuration changes. What if that person is out of town? That would require opening the sealed envelope in the safe, then subsequently changing the password on all hundreds of workstations and with a new password to be sealed in the safe. Also, if the user is working remotely out of town and can't access the corp. VPN, then how can tech support assist the user over the phone in resolving issues that may require Administrator priveleges, without divulging the password? I assume in this case the user would just have to return back to the corp. office for repairs (unless alternative #2 above is used, which is logistically complicated).
My question: is there a better alternative than #1 or #2 presented above? How can we resolve the conflicts pointed out by the client? What do all of you network admins out there do to resolve these issues?
Thanks in advance for the help.