Educause Security Discussion mailing list archives

Re: Local Admin Accounts

From: Manuel Amaral <Manuel.Amaral () OLIN EDU>
Date: Wed, 16 Sep 2009 15:37:10 -0400

The feedback on this topic has been great.  I'm curious what others do to provide and manage admin access for help desk 
workstudy students to assist with system repairs, troubleshooting, updates, etc. 


Manny
---------------------------------------
Manuel (Manny) Amaral
Associate Director, Information Technology
Franklin W. Olin College of Engineering
 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary 
Flynn
Sent: Wednesday, September 16, 2009 3:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Local Admin Accounts

We're putting laptops on the domain too. But both laptops and desktops have a local administrator account unique and 
known to the user.


Gary Flynn
Security Engineer
James Madison University

<reply top posted thanks to Microsoft Outlook>

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, Bob
Sent: Wednesday, September 16, 2009 3:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Local Admin Accounts

Everyone is posting some great ideas for handling computers on the
domain, but how are you dealing with computers (laptops) that might not
be on the domain?  Are you simply giving them an elevated local
account, using 2 local accounts (one non-admin and one admin) or
something else?

Bob Smith

Information Security Officer

Longwood University

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Strzelec, Wally
Sent: Wednesday, September 16, 2009 2:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Local Admin Accounts

1.       We are using Vista in our labs and disable the local
Administrator account.

2.         See #4.

3.       We have never had any issues with machines dropping out of the
domain.  (2500 machines)

4.       We do not allow anonymous account access, everyone uses their
domain account for what they need.  For administrative access we use
group policy.  We created an OU that contains groups with the same name
as the computer.  A group policy will then add the group %COMPUTERNAM%
to the local administrators group.  We simply add the user to the
appropriate %COMPUTERNAM% group and they are an Administrator of that
and only that machine.  We use the same GPO to remove everyone with the
exception of the folks we specify, from all of the groups just in case
one of our %COMPUTERNAM% group Administrators decide to add themselves
or someone else to something that they should not.

5.       Use the Active Directory and Group Policies.

-Wally Strzelec

 Computing and information Services

 Texas A&M University

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A.
Sent: Wednesday, September 16, 2009 1:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Local Admin Accounts

I would like to inquire as to what other Universities are doing with
regard to local admin accounts in Windows domain.  We are contemplating
removing or disabling local administrator accounts across the board and
use a Workstation Administrators group in Active Directory.

1.       Has anyone disabled the local Administrator account?

2.       How do you handle when a machine can no longer talk to the
network or domain, whether a hardware failure or lost trust?

3.       If a machine loses its trust with the domain, what cause this?

4.       Is there a method of creating a unique password for each
machine for the administrator account, or someway of not having to give
out one password that gives someone access to anything and everything?

5.       Any other advice?

Ronald King

Security Engineer

Norfolk State University

Marie V. McDemmond Center for Applied Research

Suite 401

700 Park Ave.

Norfolk, Virginia  23504

Phone:  757-823-3918

Fax: 757-823-2128

Email: raking () nsu edu

http://security.nsu.edu

Current thread:

Re: Local Admin Accounts, (continued)
- Re: Local Admin Accounts Anand S Malwade (Sep 16)
- Re: Local Admin Accounts Stanclift, Michael (Sep 16)
- Re: Local Admin Accounts Guy Pace (Sep 16)
- Re: Local Admin Accounts Gary Flynn (Sep 16)
- Re: Local Admin Accounts Gary Flynn (Sep 16)
- Re: Local Admin Accounts Mark Monroe (Sep 16)
- Re: Local Admin Accounts Strzelec, Wally (Sep 16)
- Re: Local Admin Accounts Steven Alexander (Sep 16)
- Re: Local Admin Accounts Smith, Bob (Sep 16)
- Re: Local Admin Accounts Gary Flynn (Sep 16)
- Re: Local Admin Accounts Manuel Amaral (Sep 16)
- Re: Local Admin Accounts Stanclift, Michael (Sep 16)
- Re: Local Admin Accounts Sweeny, Jonny (Sep 16)
- Re: Local Admin Accounts Guy Pace (Sep 16)
- Re: Local Admin Accounts David Gillett (Sep 16)
- Re: Local Admin Accounts Guy Pace (Sep 16)
- Re: Local Admin Accounts Gary Flynn (Sep 16)
- Re: Local Admin Accounts King, Ronald A. (Sep 16)
- Re: Local Admin Accounts John Hoffoss (Sep 16)
- Re: Local Admin Accounts Strzelec, Wally (Sep 16)
- Re: Local Admin Accounts Stanclift, Michael (Sep 16)

(Thread continues...)