Avatar of Pau Lo
Pau Lo
 asked on

local admin and 3rd party admins - best practice

What is the general best practice from a security perspective when it comes to the default local administrator accounts on windows servers?
And similarly, what is the general best practice from a security & administration perspective when it comes to 3rd party technical support who may have a requirement for remote access into your network for managing certain applications and the servers and environment on which they are installed? I am thinking in terms of managing permissions and location/management within AD.

SecurityWindows OSOS Security

Avatar of undefined
Last Comment
Pau Lo

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
David Johnson, CD

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Pau Lo

ASKER
need administrator access use Microsoft LAPS#

From a support perspective, is there a need to enable the local admin account and use it, or can you get away with domain accounts.
David Johnson, CD

You can use domain accounts for management..   * admin* depending upon need
EXPERT CERTIFIED SOLUTION
Lee W, MVP

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Pau Lo

ASKER
How do your organize and file 3rd party user accounts in your AD, out of interest? are they blended in with local admin accounts, or do you handle things differently. Is there an ideal way to approach this?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Lee W, MVP

They would get their own OU.
Pau Lo

ASKER
From an administrators perspective ( I don't work in a support role), what is the benefit to putting them in their own OU? Or from the other angle, what is the risk in not doing so?
Lee W, MVP

Organization - you know which are contractors easily.  You can also apply policies to them that are specific to contractors.  You could have multiple contractors OUs depending on your organization layout.  For example, if you break down your OU structure in part by office location, each office could have a contractors OU.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Pau Lo

ASKER
Thanks Lee. Out of interest, could you give a couple of examples of any specific policies you'd apply to just contractors, 3rd parties. I'd be interested to learn about some examples for my own learning.