It depends... :-) On Fri, Jun 8, 2012 at 9:11 AM, David Lum <[email protected]> wrote:
> A fellow team member (not an SE, but more of an application owner type of > tech person) needs Local Admin access to a server to install and configure > a new application on it. I understand the need and agree with it.**** > > ** ** > > Instead of just throwing his account into the local admin group on that > server I did the following:**** > > Created a LA-<servername> account (LA= Local Admin) > Created a security group called LA-<servername>_LocalAdmin, added the > above to it**** > > Created a GPO to put said security group into local admins on that server* > *** > > ** ** > > My thinking is **** > > **1. **This keeps him from using his daily account to be local > admin on the box**** > > **2. **I don’t have an individual assignment on that server**** > > ** ** > > In general, I view putting a user specifically into a server’s local group > as the same as putting a user (instead of a group) into the ACL of an NTFS > folder. If said employee leaves, it’s difficult/tedious to see where they > had access TO so we have no idea where their replacement might need to be > added.**** > > ** ** > > However, was that really too much work to give the guy the ability to log > in as local admin?**** > > *David Lum* > Systems Engineer // NWEATM > Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
