What Don Ely said. A group that is in the local administrators group on each PC. And it can be managed via Group Policy Preferences. Easy, peasy, lemon squeezey.
I run with three (in reality four) accounts, I'm a one man shop. User account, no admin access anywhere. Workstation admin group, I have another account that is in that group, this gets used from my workstation when accessing other computers over the network. And then a third account which is in Domain admins. I also have yet another account in the workstation admin group that gets enabled as needed and disabled when finished, if I should need to logon interactively to a computer and I suspect it has been compromised. It's a layered defense, and it works extremely well with Windows 7 and entering alternate credentials. On Tue, Jul 19, 2011 at 1:31 PM, David Lum <[email protected]> wrote: > A local admin account? So 50 IT folks would have 50 different local admin > accounts? Other than the deny log on locally what keeps them from creating > an admin account while logged in as admin?**** > > ** ** > > Win 7 makes alternate credentials easy enough at least…**** > > ** ** > > Dave.**** > > ** ** > > *From:* Kennedy, Jim [mailto:[email protected]] > *Sent:* Tuesday, July 19, 2011 10:20 AM > > *To:* NT System Admin Issues > *Subject:* RE: non-local admin revisited**** > > ** ** > > +1**** > > ** ** > > *From:* Don Ely [mailto:[email protected]] > *Sent:* Tuesday, July 19, 2011 1:19 PM > *To:* NT System Admin Issues > *Subject:* Re: non-local admin revisited**** > > ** ** > > Provide them with an admin account and show them how to use "run-as"... I > also disable logon locally where I can get away with it so they don't > cheat...**** > > On Tue, Jul 19, 2011 at 10:10 AM, David Lum <[email protected]> wrote:*** > * > > How do you bigger org’s handle IT staff (DBA’s and the like) not being > local admins on their systems? Invariably they are used to throwing on > whatever they want and in some ways this helps the Help desk so they’re not > called to install stuff the user can install.**** > > **** > > As we move to Windows 7 my recommendation is to yank local admin perms at > the same time (yes everyone is local admin on their XP systems currently), > but I foresee pushback from Service Desk and IT folks…**** > > *David Lum* > Systems Engineer // NWEATM > Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
