Re: Desktop Administrator Question

[Rich Graves <rgraves () CARLETON EDU>]

We're yet another special case that doesn't fit your questions: 

On our Windows 7 desktops, which are now the majority, nobody is a local administrator. 

However, all staff/faculty set (but many forget) a personal .\admin account and password, different for every machine, 
that they are instructed to use for software installation and system administration only. The .\admin account is 
blocked from domain resources, so there is no incentive to use it for anything but UAC elevation prompts. Help desk 
techs use a domain account whose password changes twice daily. For offline access, the built-in Administrator account 
is set to a random value and submitted to a web service which stores it GPG-encrypted. 

So, we get privilege separation against malware; a UAC speed-bump encouraging some consideration before software 
installation; two forms of help desk access without password sharing; but no enforcement of policy against unsactioned 
software. 
-- 

Rich Graves http://claimid.com/rcgraves 
Carleton.edu Sr UNIX and Security Admin 
CMC135: 507-222-7079 Cell: 952-292-6529