We are having an internal discussion on how to handle computer access rights for our application support and desktop support techs. Right now, certain techs are in an AD group which is in the local Administrators group on some PCs. This lets them resolve end-user issues by accessing the user PCs with Remote Desktop, Remote Registry, or simple connections to a share. However, it also means they can get to anything on the users' PCs and there is no auditable access tracking.
So, we'd like to remove this access privilege and have the techs use other support methodologies, such as Remote Assistance, which requires the users to be aware of what's going on. There are cases, though, where the app support guys say they have to make batch updates to groups of PCs (such as to point them to a new license server) and they're balking at giving up their local admin rights. I've already thought of some ways to handle these issues, but I'd like to hear what some of you have done. We're running XP SP2/SP3 desktops on 2008 AD domains. The PCs are managed with SCCM 2007 SP1. Thanks, -Malcolm ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
