jamessa
asked on
2 Man IT Group with Security Questions
Hi,
I am the IT manager for a small company with a 2000 AD and about 40 PCs. I have one guy that works with me who is basically help desk. He is also my backup when I am away. Our company has grown over time, but we still manage everything ok. I do not consider myself an expert when ti comes to AD at all. Right now we both log into all server using a Domain Admin account. We both use the same complex password and I really don't see any other way around it. I could limit him on some things but he is my backup when I am gone. If I had a large IT department I would greatly consider doing this. As it is now he sets up and removes users in AD. Am I going about this wrong to give him the same access as me? He has worked here for 3 years, is a life long friend that I trust.
Second,
We have always managed user's password. We have always changed them every 6 months and required them to be complex. I am entertaining the idea of handing that over to the users and modifying the security policy on the DC to make them change passwords every 60 days and require complex passwords. The issue is we can still log into their computers using the domain admin account and could get access to all their files etc and I don't think we should be able to do that. We still need to install programs and update the computers. Is there a way to do this and restrict out access from their files?
I am the IT manager for a small company with a 2000 AD and about 40 PCs. I have one guy that works with me who is basically help desk. He is also my backup when I am away. Our company has grown over time, but we still manage everything ok. I do not consider myself an expert when ti comes to AD at all. Right now we both log into all server using a Domain Admin account. We both use the same complex password and I really don't see any other way around it. I could limit him on some things but he is my backup when I am gone. If I had a large IT department I would greatly consider doing this. As it is now he sets up and removes users in AD. Am I going about this wrong to give him the same access as me? He has worked here for 3 years, is a life long friend that I trust.
Second,
We have always managed user's password. We have always changed them every 6 months and required them to be complex. I am entertaining the idea of handing that over to the users and modifying the security policy on the DC to make them change passwords every 60 days and require complex passwords. The issue is we can still log into their computers using the domain admin account and could get access to all their files etc and I don't think we should be able to do that. We still need to install programs and update the computers. Is there a way to do this and restrict out access from their files?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh! I didn't understand that you actually know each users password. I think that is very bad for accountability and auditing sake. It also means logfiles are of no use, since any IT member can impersonate any user. You should have a domain admin account for yourself and your other IT admins (probably with different account names, but the same roles/permissions).
You should not have to know your users passwords. If their computers are locked, have them unlock them or plan ahead. You still cannot unlock a locked computer by resetting the AD password. You need to know the prior password, and like you said, forcing a login at the locked screen will cause them to lose all unsaved data. Just plan ahead, send an email, or post an announcement saying to leave their computer unlocked, or better yet, to logoff instead. This way you will be able to login without interfering with their programs.
I still do not think that there is any way to be an admin without full file access, which is required, by definition, to install programs and such.
You should not have to know your users passwords. If their computers are locked, have them unlock them or plan ahead. You still cannot unlock a locked computer by resetting the AD password. You need to know the prior password, and like you said, forcing a login at the locked screen will cause them to lose all unsaved data. Just plan ahead, send an email, or post an announcement saying to leave their computer unlocked, or better yet, to logoff instead. This way you will be able to login without interfering with their programs.
I still do not think that there is any way to be an admin without full file access, which is required, by definition, to install programs and such.
ASKER
You are giving some good points! Thanks!
ASKER