On Fri, Jun 8, 2012 at 6:11 AM, David Lum <[email protected]> wrote: > A fellow team member (not an SE, but more of an application owner type of > tech person) needs Local Admin access to a server to install and configure a > new application on it. I understand the need and agree with it. > > Instead of just throwing his account into the local admin group on that > server I did the following: > > Created a LA-<servername> account (LA= Local Admin) > Created a security group called LA-<servername>_LocalAdmin, added the above > to it > > Created a GPO to put said security group into local admins on that server > > My thinking is > > 1. This keeps him from using his daily account to be local admin on > the box > > 2. I don’t have an individual assignment on that server > > In general, I view putting a user specifically into a server’s local group > as the same as putting a user (instead of a group) into the ACL of an NTFS > folder. If said employee leaves, it’s difficult/tedious to see where they > had access TO so we have no idea where their replacement might need to be > added. > > However, was that really too much work to give the guy the ability to log in > as local admin?
The thing I would do differently is to create an individual account for that user, rather than a generic server admin account for the server - thus, instead of LA-servername, I would make it username-servername. One account per person per server (for non-IT folk - they each should have their own server administrator account, different from their DA accounts and different from their workstation accounts and different from their personal accounts). Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
