Don't know how big an org you are, but on one secure account we worked on admin access was "leased" to users on request by a backbone security team. The admin acccounts for users which had rights to workstations or servers as required were disabled until requested through a helpdesk case, and when they were activated, a specific account expiry date was set - usually tied to a particular change window. Accounts were not elevated for more than a day generally.
This of course assumes that you can set up a backbone security team and configure your AD correctly so that leased admin accounts can't override this process themselves. 2009/3/4 Malcolm Reitz <[email protected]> > We are having an internal discussion on how to handle computer access > rights for our application support and desktop support techs. Right now, > certain techs are in an AD group which is in the local Administrators group > on some PCs. This lets them resolve end-user issues by accessing the user > PCs with Remote Desktop, Remote Registry, or simple connections to a share. > However, it also means they can get to anything on the users’ PCs and there > is no auditable access tracking. > > > > So, we’d like to remove this access privilege and have the techs use other > support methodologies, such as Remote Assistance, which requires the users > to be aware of what’s going on. There are cases, though, where the app > support guys say they have to make batch updates to groups of PCs (such as > to point them to a new license server) and they’re balking at giving up > their local admin rights. I’ve already thought of some ways to handle these > issues, but I’d like to hear what some of you have done. We’re running XP > SP2/SP3 desktops on 2008 AD domains. The PCs are managed with SCCM 2007 SP1. > > > > Thanks, > > -Malcolm > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
