Sounds good, but may become a password management nightmare. Assigning a password for a person before they leave for a trip and remembering to reset it upon return. Also, everyone being an admin is what we are trying to avoid.
On Wed, May 5, 2010 at 5:27 PM, Charlie Kaiser <[email protected]>wrote: > Our MO at my last larger multi-site client was to have individual accounts, > one for each PC. That way there was no compromise of any other machine if > one pw was passed around. > I used Steve Riley's Passgen tool to create and retrieve strong pws. Some > scripting allowed me to change the local account on each machine as long as > I had connectivity to it. > > Here's a link to some info about the tool... > > > http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-bo > ok.aspx > > > I don't know how this will play with >vista; the remote connectivity might > be problematic for the scripting part, but even if it's never scripted, the > ability to set and retrieve strong local pws is significant. It allows you > to create a pw, use it, change it, and still be able to retrieve it easily. > Worth a look... > > *********************** > Charlie Kaiser > [email protected] > Kingman, AZ > *********************** > > > -----Original Message----- > > From: ITSec Lists [mailto:[email protected]] > > Sent: Wednesday, May 05, 2010 1:13 PM > > To: NT System Admin Issues > > Subject: Kind of OT: Generic Accounts > > > > This is more of a discussion kind of question to seek > > possible solutions to an old problem that almost everyone > > with multiple sites gets affected with. > > > > There are several locations and all locations have AD > > implemented, using a single image everywhere. With every > > location having a local IT person, we could have a backdoor > > local account on the image and share the password with the > > local IT, but gradually, the password would get known by > > almost everyone (friend of a friend of a friend...etc) We > > could have the local IT guy be admins in their environment > > and log on to any local machine with their own credentials. > > The problem arises when some senior person is in a different > > country and needs to install something. They could go to the > > local office, but what about after hours. etc etc > > > > I am sure there are several options to tackle this issue, and > > I wanted to get an opinion on what people do for this issue. > > > > Hypothetically, could there be an option to create a USB of > > some sort that is non shareable (Uses the laptop's Hard disk > > serial number) that could be given to travellers for use in > > emergencies to gain admin access only on that particular > > machine. Obviously, it is not a fool-proof method due to the > > several what ifs (loss of USB, creating an additional admin > > account with the admin access, etc) but does something exist? > > > > Thanks > > ~ Finally, powerful endpoint security that ISN'T a resource > > hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
