You created a general account? Rather than a specific account for the user?
In general though, in a small environment I would create a Domain group of some kind (e.g. Universal or Global). The Domain group would be based on a business need/business unit/etc. Add that group to the Local Administrators group on the server. Put an account for that user into that Domain group. Then it becomes easier to track what access the user has - just look at the group membership of that user. Cheers Ken From: David Lum [mailto:[email protected]] Sent: Friday, 8 June 2012 9:11 PM To: NT System Admin Issues Subject: Reality check A fellow team member (not an SE, but more of an application owner type of tech person) needs Local Admin access to a server to install and configure a new application on it. I understand the need and agree with it. Instead of just throwing his account into the local admin group on that server I did the following: Created a LA-<servername> account (LA= Local Admin) Created a security group called LA-<servername>_LocalAdmin, added the above to it Created a GPO to put said security group into local admins on that server My thinking is 1. This keeps him from using his daily account to be local admin on the box 2. I don't have an individual assignment on that server In general, I view putting a user specifically into a server's local group as the same as putting a user (instead of a group) into the ACL of an NTFS folder. If said employee leaves, it's difficult/tedious to see where they had access TO so we have no idea where their replacement might need to be added. However, was that really too much work to give the guy the ability to log in as local admin? David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
