Security Basics mailing list archives
RE: Helpdesk as local admin
From: "Scott Ramsdell" <Scott.Ramsdell () cellnet com>
Date: Mon, 5 Feb 2007 10:56:43 -0500
WALI, By default all users have the right to add 10 machines to the domain. You can modify the default domain controller policy (not default domain policy) to change this. I routinely create a group for adding machines, and delegate the right to add machines to this group and domain admins, removing authenticating users. Sometimes office managers need to add machines such as at a remote site without local help desk staff, and I could add them to this group without giving them any other help desk level privilege. In my experience, the help desk staff needs access to the local admin accounts. So, I cut and pasted a script together that would change the local admin passwords and would run the script after any IT personnel left. Local admin passwords on the laptops/desktops should certainly be different than the local admin passwords on your servers. Walking around the building, I would sometimes hear the users mention the local admin password and using it to do something they otherwise couldn't. I would have to review with the help desk staff the importance of keeping this password known only to their group, but invariably the help desk staff would give the password out to users who had ran into an issue while out of the office. Usually, this was the screen saver lockout coming on during a Power Point presentation. So, periodically, I would change the local admin password even if no-one had left. Also, I created a group that wouldn't apply the screen saver lockout and asked secretaries to let me know if an exec was traveling so I could drop them in that group. Kind Regards, Scott Ramsdell -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of WALI Sent: Saturday, February 03, 2007 7:59 AM To: security-basics () securityfocus com Subject: Helpdesk as local admin Hi Guys.. So what's the defined best practise regarding HelpDesk personnel be given/told local admin account names and passwords on users PC/Workstations in order to undertake routine fault finding and applications installation? Help Desk techies also regularly inserts new workstations into the domain hence they need certain privileges to be able to make new workstations join the domain. What could be the most secure way given the fact that Servers are running Win 2k3 and client machines are a combination of WinXP and Win2k.
Current thread:
- Helpdesk as local admin WALI (Feb 05)
- RE: Helpdesk as local admin Scott Ramsdell (Feb 05)
- Re: Helpdesk as local admin gjgowey (Feb 05)
- RE: Helpdesk as local admin Patrick Wade (Feb 05)
- <Possible follow-ups>
- Re: Helpdesk as local admin Henry Troup (Feb 05)
- Re: Helpdesk as local admin htroup (Feb 05)
- RE: Helpdesk as local admin Rolf Huisman (Feb 07)
- RE: Helpdesk as local admin Henry Troup (Feb 07)
- Re: FW: Helpdesk as local admin kevin fielder (Feb 07)