Our MO at my last larger multi-site client was to have individual accounts, one for each PC. That way there was no compromise of any other machine if one pw was passed around. I used Steve Riley's Passgen tool to create and retrieve strong pws. Some scripting allowed me to change the local account on each machine as long as I had connectivity to it.
Here's a link to some info about the tool... http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-bo ok.aspx I don't know how this will play with >vista; the remote connectivity might be problematic for the scripting part, but even if it's never scripted, the ability to set and retrieve strong local pws is significant. It allows you to create a pw, use it, change it, and still be able to retrieve it easily. Worth a look... *********************** Charlie Kaiser [email protected] Kingman, AZ *********************** > -----Original Message----- > From: ITSec Lists [mailto:[email protected]] > Sent: Wednesday, May 05, 2010 1:13 PM > To: NT System Admin Issues > Subject: Kind of OT: Generic Accounts > > This is more of a discussion kind of question to seek > possible solutions to an old problem that almost everyone > with multiple sites gets affected with. > > There are several locations and all locations have AD > implemented, using a single image everywhere. With every > location having a local IT person, we could have a backdoor > local account on the image and share the password with the > local IT, but gradually, the password would get known by > almost everyone (friend of a friend of a friend...etc) We > could have the local IT guy be admins in their environment > and log on to any local machine with their own credentials. > The problem arises when some senior person is in a different > country and needs to install something. They could go to the > local office, but what about after hours. etc etc > > I am sure there are several options to tackle this issue, and > I wanted to get an opinion on what people do for this issue. > > Hypothetically, could there be an option to create a USB of > some sort that is non shareable (Uses the laptop's Hard disk > serial number) that could be given to travellers for use in > emergencies to gain admin access only on that particular > machine. Obviously, it is not a fool-proof method due to the > several what ifs (loss of USB, creating an additional admin > account with the admin access, etc) but does something exist? > > Thanks > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
