I think it would also depend on the scripting language you are using as the remote access/running in the >Vista machines. I think it could be done with PowerShell provided the machine was setup to allow the PS script to run elevated. Most likely other languages as well but with more effort.
Jon On Wed, May 5, 2010 at 5:27 PM, Charlie Kaiser <[email protected]>wrote: > Our MO at my last larger multi-site client was to have individual accounts, > one for each PC. That way there was no compromise of any other machine if > one pw was passed around. > I used Steve Riley's Passgen tool to create and retrieve strong pws. Some > scripting allowed me to change the local account on each machine as long as > I had connectivity to it. > > Here's a link to some info about the tool... > > > http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-bo > ok.aspx > > > I don't know how this will play with >vista; the remote connectivity might > be problematic for the scripting part, but even if it's never scripted, the > ability to set and retrieve strong local pws is significant. It allows you > to create a pw, use it, change it, and still be able to retrieve it easily. > Worth a look... > > *********************** > Charlie Kaiser > [email protected] > Kingman, AZ > *********************** > > > -----Original Message----- > > From: ITSec Lists [mailto:[email protected]] > > Sent: Wednesday, May 05, 2010 1:13 PM > > To: NT System Admin Issues > > Subject: Kind of OT: Generic Accounts > > > > This is more of a discussion kind of question to seek > > possible solutions to an old problem that almost everyone > > with multiple sites gets affected with. > > > > There are several locations and all locations have AD > > implemented, using a single image everywhere. With every > > location having a local IT person, we could have a backdoor > > local account on the image and share the password with the > > local IT, but gradually, the password would get known by > > almost everyone (friend of a friend of a friend...etc) We > > could have the local IT guy be admins in their environment > > and log on to any local machine with their own credentials. > > The problem arises when some senior person is in a different > > country and needs to install something. They could go to the > > local office, but what about after hours. etc etc > > > > I am sure there are several options to tackle this issue, and > > I wanted to get an opinion on what people do for this issue. > > > > Hypothetically, could there be an option to create a USB of > > some sort that is non shareable (Uses the laptop's Hard disk > > serial number) that could be given to travellers for use in > > emergencies to gain admin access only on that particular > > machine. Obviously, it is not a fool-proof method due to the > > several what ifs (loss of USB, creating an additional admin > > account with the admin access, etc) but does something exist? > > > > Thanks > > ~ Finally, powerful endpoint security that ISN'T a resource > > hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
