sunhux
asked on
Allow a group or a few domain accounts to login to a few PCs
For external vendors/consultants who come onsite to do source code review
& penetration testing of apps codes, we're creating 5 Windows accounts &
provide them 5 PCs to use onsite. They don't need Internet access but will
need Intranet access (ie within our internal netwk).
They need sort of 'power users' privilege on the Windows PCs so that they
can install & run their tools with elevated privilege. We want the 5 of them
to be able to use the 5 PCs interchangeably ie any one of them can use
any of the 5 PCs but not any other PCs in our organization
Q1:
What's the best practice? Create domain accounts for each of them (with
no domain admin rights but just normal domain user) & assign the 5
domain IDs under local Administrator group in each PC? Or create
5 local accounts in each PC with power user rights (ie under the group
of "Power Users" or "Administrator" or ?
Q2:
If the best practice is to create non-privileged domain admin IDs, what's
the steps to restrict them to the 5 PCs: was told by a colleague this is
very tedious to set up as it involves OU etc : pls give step by step
instruction as I'm newbie to Windows. The PCs are all on Win 7.
Or it's less effort & faster to just create 5 local accounts on each of
the 5 PCs?
The 5 vendors will be onsite for about 2 months & we may a lot of such
future vendors coming onsite so we need to be able to delete their
accounts timely & something sustainable to manage & yet comply
to IT security
& penetration testing of apps codes, we're creating 5 Windows accounts &
provide them 5 PCs to use onsite. They don't need Internet access but will
need Intranet access (ie within our internal netwk).
They need sort of 'power users' privilege on the Windows PCs so that they
can install & run their tools with elevated privilege. We want the 5 of them
to be able to use the 5 PCs interchangeably ie any one of them can use
any of the 5 PCs but not any other PCs in our organization
Q1:
What's the best practice? Create domain accounts for each of them (with
no domain admin rights but just normal domain user) & assign the 5
domain IDs under local Administrator group in each PC? Or create
5 local accounts in each PC with power user rights (ie under the group
of "Power Users" or "Administrator" or ?
Q2:
If the best practice is to create non-privileged domain admin IDs, what's
the steps to restrict them to the 5 PCs: was told by a colleague this is
very tedious to set up as it involves OU etc : pls give step by step
instruction as I'm newbie to Windows. The PCs are all on Win 7.
Or it's less effort & faster to just create 5 local accounts on each of
the 5 PCs?
The 5 vendors will be onsite for about 2 months & we may a lot of such
future vendors coming onsite so we need to be able to delete their
accounts timely & something sustainable to manage & yet comply
to IT security
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
in terms of efforts to maintain (& auditors often want us to review if accounts
are still active & if their logins are being reviewed), creating domain accounts
& assign by OU group is more efficient & compliant to audit than creating
local accounts : is this the consensus here, Jason, Shaun & Arnold ?