Controlling IT staff with Administrative access

Our IT department has four staff, all have admin access to the servers.

Recently, a staff member put a user in the admin group, when confronted he denied doing it.... because the servers are always logged on as admin there is no way to trace it back.....

Is there a better way to controll access to servers via the admin user

Thanks
n_athenAsked:
Who is Participating?
 
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
Some things can be nearly impossible to trace.  Look into enabling auditing on the servers (not necessarily file auditing, but auditing of users' use of security privilages).  In addition, create admin accounts for each user that needs admin access.  For example, in my last corporate position I setup the 10 people who needed admin access with accounts such as jbadmin and mkadmin (initials-admin).  You could also just create accounts such as jsmith-adm.  Their regular accounts get no special privilages, and the only admin account they know is the adm/admin account assigned to them.  Then you have to make sure everyone starts taking responsibility by logging off the servers when they are done - and locking the screens if they step away for a few minutes.
0
 
novacopyCommented:
i would change the admin password and not tell them. then set a screensaver to have a password so whenever they need access they will have to use their own login info to unlock the server and log off the last user. maybe you should look at putting a "key logger" on the server so you can have everything that was done monitored.
0
 
novacopyCommented:
not the best advise but just a suggestion
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.