Pau Lo
asked on
examples of where local administrator permissions would be required.
what kind of activities on a windows server would actually require local administrator privileges, or as a server engineer yourselves, what day to day tasks do you perform on windows servers that do require you to be a member of the local admins group. We have got to go through the local admins groups on a number of critical servers and the numbers seem on the high side, but I want to be equipped with some examples of when you do need local admin rights to query if these users would ever need to perform such a task as part of their duties? If I could get something like the most common 5 admin type duties that are performed on windows servers that do require local admin rights that would be a start I suppose. I suspect in many cases those with administrator group privileges on some of the servers have no real requirement to have it. In case its of interest the vast majority of these servers run Windows server 2012.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
masnrock
The answer depends on the exact duties of the people who do work on the servers. So you're literally asking us things that your side actually has the answers to. Obviously the number doing admin things should be as small as possible, but every organization handles their things differently.
THE simplest answer would be:
In all cases of server administration tasks if you don't have a Domain controler.
I saw this kind of practice in cases where, you have a consultant who must install an application on one of your servers in branch X, you do not give him access as Local admin.
You use a local admin account for the following cases:
- The administrator intervenes only on a server
- A consultant who must intervene only on a server in branch for example
- A junior administrator ... you do not want his intervention as an apprentice impact on your whole
- For a user whose application requires elevation
- For a user whom you have authorized the installation of an application and that you do not have the time to do it (Ca on the other hand it is not ITIL)
- Service of which you do not measure the scale and that you want to put in automatic start (Ca on the other hand it is not ITIL)
- When you have no domain controller from where your only alternative ... lol
In all cases of server administration tasks if you don't have a Domain controler.
I saw this kind of practice in cases where, you have a consultant who must install an application on one of your servers in branch X, you do not give him access as Local admin.
You use a local admin account for the following cases:
- The administrator intervenes only on a server
- A consultant who must intervene only on a server in branch for example
- A junior administrator ... you do not want his intervention as an apprentice impact on your whole
- For a user whose application requires elevation
- For a user whom you have authorized the installation of an application and that you do not have the time to do it (Ca on the other hand it is not ITIL)
- Service of which you do not measure the scale and that you want to put in automatic start (Ca on the other hand it is not ITIL)
- When you have no domain controller from where your only alternative ... lol
PMA, no feedback at all?
I hope we could help you.
I hope we could help you.