Depending on the size of the orgs I've been at they have done similar things.
1) Very large company - our accounts didn't have anything to do with our names - for example a logon id was a Letter and some numbers - example L1234, for user Don K. ID with elevated privilege was L1234A - Don K domain admin id Then there was THE domain admin id - administrator that was locked down Then there was also Enterprise admin id - separate with even fewer people knowing the pw Then there was local workstation Admin id - same on all pcs Then there was a server admin id - same on all server type machines Then there were service accounts - example a backup user id, a storage user id, a virus user id, etc. 2) Medium company - account looked like your real name - example Don K user account donk No elevated privilege ID - eg donkadmin but donk id didn't have admin rights. Had to use the domain admin id Separate domain admin, workstation admin, and local server admin, plus service acccounts for each discipline. 3) Small company - user login account was almost your real name don k - dk or donk The user id was also given the domain id rights Still separate domain, workstation, and server admin ids but many passwords were the same ________________________________ From: Ben Scott <[email protected]> To: NT System Admin Issues <[email protected]> Sent: Tuesday, February 28, 2012 5:52 PM Subject: Re: Log on to DC directly On Tue, Feb 28, 2012 at 6:32 PM, Crawford, Scott <[email protected]> wrote: >> When one person is doing everything from a single PC, logging into >> 42 different accounts isn't going to yield nearly as much benefit. > > Agreed, but I'd suspect 3 would be a pretty beneficial place to start: > 1) Unprivileged standard user > 2) Local administrator > 3) Domain administrator Yah, that's similar to what we do here currently. Everybody has their individual user account, which has basically no "special" privileges. ("Special" meaning something to do with computer internals, as opposed to just controlling access to "ordinary" data.) Then we've got a "PCADMIN" account, which is in "Administrators" on most client computers, but is not special for servers or AD. Then there's the company-wide all-powerful uber account. Now that the IT department is more than just me, I really should change the scheme so that each warm body in IT gets its own of each privileged account. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
