Admin Rights Best Practices
We have a broad range of users from developers and testers to Desktop Support, etc. Apart from security groups which allow domain level access for help desk and users, we have the need for local admin rights on the machines.
I know that best practice is to determine what access/permissions are needed on the local level and grant that access without the use of local admin rights, however, we are not there yet.
We are planning on using a bang account (second account) such as sfarazmand! We want to limit domain access as well, so that users are not using the admin account as their default.
The question is which is best practice; to use a domain account or a local account. What are pros and cons of each
I know that best practice is to determine what access/permissions are needed on the local level and grant that access without the use of local admin rights, however, we are not there yet.
We are planning on using a bang account (second account) such as sfarazmand! We want to limit domain access as well, so that users are not using the admin account as their default.
The question is which is best practice; to use a domain account or a local account. What are pros and cons of each
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
To clarify with the OUs/Admins, I was talking about domain accounts (which would be the user account with an ! at the end) put in the OU and then using the new 2008 Group Policy Preferences to manage LAR. That would prevent the user from adding another admin account on the machine.
http://www.windowsecurity.
http://msforums.ph/blogs/phiwug/archive/2009/03/30/windows-server-2008-manageability-features-group-policy-preferences-part-2-the-local-administrator.aspx
http://www.windowsecurity.
http://msforums.ph/blogs/phiwug/archive/2009/03/30/windows-server-2008-manageability-features-group-policy-preferences-part-2-the-local-administrator.aspx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all the input. This has me thinking a bit more and I will need to present all sides as options. Thanks again
I would love it if bluntTony saw my comment and replies! I am in a similar situation as the OP. I have an inherited AD that needs some attention. Domain Users was granted membership to the local Administrators group on all PC's. I have corrected that for 90% of my domain at this point by simply removing Domain Users from that policy. Now I need to implement a good method for allowing some users administrative access, like we commonly say, for those users that say they need local admin privs.
bluntTony, in your solution for the OP, you say just add/remove users to and from the OU. Are you in the mind set of the "user" needing access and they call the helpdesk, helpdesk tech moves the user into the appropriate OU and later removes them? If I understand this correctly, this would grant the user LAR for any PC that is also in the appropriate OU.
If so, what is the option for granting LAR for a user specifically on their PC? We have limited staff, we do not have a helpdesk, I am all-in for this methodology but unfortunately I don't think it will get approved. So, what I am trying to accomplish is to allow a small group of users, LAR to their PC ONLY and no one else's.
bluntTony, in your solution for the OP, you say just add/remove users to and from the OU. Are you in the mind set of the "user" needing access and they call the helpdesk, helpdesk tech moves the user into the appropriate OU and later removes them? If I understand this correctly, this would grant the user LAR for any PC that is also in the appropriate OU.
If so, what is the option for granting LAR for a user specifically on their PC? We have limited staff, we do not have a helpdesk, I am all-in for this methodology but unfortunately I don't think it will get approved. So, what I am trying to accomplish is to allow a small group of users, LAR to their PC ONLY and no one else's.
ASKER
We currently (someone's poor design) have all the users (about 3000) in the users container. We cannot change this because there are about 40 applications pointing there. If we do use group policy it will require going through an approval process as well as management on a monthly basis.
The mentality was that with the second account, the account management group could simply disable the account, instantly removing LAR. We would be able to place the secondary accounts in an OU making it easy to see who has local admin rights which would enable us to ensure those accounts or access is not removed and that we can go back and review to see if they are still needed.
That's what we were thinking.