Educause Security Discussion mailing list archives
Re: Local Admin Accounts
From: "Stanclift, Michael" <michael.stanclift () ROCKHURST EDU>
Date: Wed, 16 Sep 2009 20:14:19 -0500
Excellent. I didn't know variables could be used in that section, that opens up a lot of new possibilities. That will easily replace a startup script that I've had in place and be much easier to manage. Thanks! Michael Stanclift Network Analyst Rockhurst University http://help.rockhurst.edu<http://help.rockhurst.edu/> (816) 501-4231<livecall:(816)501-4231> PThink before you print! ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Strzelec, Wally [wally () TAMU EDU] Sent: Wednesday, September 16, 2009 5:58 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Local Admin Accounts Group policy. It’s a preference under: Computer Configuration, Preferences, Control Panel Settings, Local Users and Groups We created one group that adds %DomainName%\%ComputerName% and another that removes everyone from the Administrators group except %DomainName%\Domain Admins. For other groups like power users and such, we just remove everyone. -Wally From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stanclift, Michael Sent: Wednesday, September 16, 2009 2:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Local Admin Accounts On #4, is that scripted or something built into Group Policy? Michael Stanclift Network Analyst Rockhurst University http://help.rockhurst.edu<http://help.rockhurst.edu/> (816) 501-4231 PThink before you print! From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Strzelec, Wally Sent: Wednesday, September 16, 2009 1:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Local Admin Accounts 1. We are using Vista in our labs and disable the local Administrator account. 2. See #4. 3. We have never had any issues with machines dropping out of the domain. (2500 machines) 4. We do not allow anonymous account access, everyone uses their domain account for what they need. For administrative access we use group policy. We created an OU that contains groups with the same name as the computer. A group policy will then add the group %COMPUTERNAM% to the local administrators group. We simply add the user to the appropriate %COMPUTERNAM% group and they are an Administrator of that and only that machine. We use the same GPO to remove everyone with the exception of the folks we specify, from all of the groups just in case one of our %COMPUTERNAM% group Administrators decide to add themselves or someone else to something that they should not. 5. Use the Active Directory and Group Policies. -Wally Strzelec Computing and information Services Texas A&M University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. Sent: Wednesday, September 16, 2009 1:20 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Local Admin Accounts I would like to inquire as to what other Universities are doing with regard to local admin accounts in Windows domain. We are contemplating removing or disabling local administrator accounts across the board and use a Workstation Administrators group in Active Directory. 1. Has anyone disabled the local Administrator account? 2. How do you handle when a machine can no longer talk to the network or domain, whether a hardware failure or lost trust? 3. If a machine loses its trust with the domain, what cause this? 4. Is there a method of creating a unique password for each machine for the administrator account, or someway of not having to give out one password that gives someone access to anything and everything? 5. Any other advice? Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Fax: 757-823-2128 Email: raking () nsu edu<mailto:raking () nsu edu> http://security.nsu.edu
Current thread:
- Re: Local Admin Accounts, (continued)
- Re: Local Admin Accounts Manuel Amaral (Sep 16)
- Re: Local Admin Accounts Stanclift, Michael (Sep 16)
- Re: Local Admin Accounts Sweeny, Jonny (Sep 16)
- Re: Local Admin Accounts Guy Pace (Sep 16)
- Re: Local Admin Accounts David Gillett (Sep 16)
- Re: Local Admin Accounts Guy Pace (Sep 16)
- Re: Local Admin Accounts Gary Flynn (Sep 16)
- Re: Local Admin Accounts King, Ronald A. (Sep 16)
- Re: Local Admin Accounts John Hoffoss (Sep 16)
- Re: Local Admin Accounts Strzelec, Wally (Sep 16)
- Re: Local Admin Accounts Stanclift, Michael (Sep 16)
- Re: Local Admin Accounts Eric Case (Sep 17)