Yeah after seeing other responses I did exactly that. Better than a "per server" account.
-----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Friday, June 08, 2012 10:00 AM To: NT System Admin Issues Subject: Re: Reality check On Fri, Jun 8, 2012 at 6:11 AM, David Lum <[email protected]> wrote: > A fellow team member (not an SE, but more of an application owner type > of tech person) needs Local Admin access to a server to install and > configure a new application on it. I understand the need and agree with it. > > Instead of just throwing his account into the local admin group on > that server I did the following: > > Created a LA-<servername> account (LA= Local Admin) Created a security > group called LA-<servername>_LocalAdmin, added the above to it > > Created a GPO to put said security group into local admins on that > server > > My thinking is > > 1. This keeps him from using his daily account to be local admin > on the box > > 2. I don’t have an individual assignment on that server > > In general, I view putting a user specifically into a server’s local > group as the same as putting a user (instead of a group) into the ACL > of an NTFS folder. If said employee leaves, it’s difficult/tedious to > see where they had access TO so we have no idea where their > replacement might need to be added. > > However, was that really too much work to give the guy the ability to > log in as local admin? The thing I would do differently is to create an individual account for that user, rather than a generic server admin account for the server - thus, instead of LA-servername, I would make it username-servername. One account per person per server (for non-IT folk - they each should have their own server administrator account, different from their DA accounts and different from their workstation accounts and different from their personal accounts). Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
