Re: Local Admin Accounts

[Zach Jansen <zjanse20 () CALVIN EDU>]

I didn't see a response to Manny's question on this thread. What do other schools do with student workers to get them 
admin access? Does your HelpDesk have a local admin password to login to systems that aren't on the network? If you do, 
how do you manage a local password change when a staff member, student or otherwise, leaves?

Zach
-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

> > > On 9/16/2009 at 3:37 PM, in message
<74EC63270F70E84EBE31C4588324B476766E7D9AF9 () EXVS01 olin edu>, Manuel Amaral
<Manuel.Amaral () OLIN EDU> wrote:
> The feedback on this topic has been great.  I'm curious what others do to 
> provide and manage admin access for help desk workstudy students to assist 
> with system repairs, troubleshooting, updates, etc. 
>
>
> Manny
> ---------------------------------------
> Manuel (Manny) Amaral
> Associate Director, Information Technology
> Franklin W. Olin College of Engineering
>  
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn
> Sent: Wednesday, September 16, 2009 3:33 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU 
> Subject: Re: [SECURITY] Local Admin Accounts
>
> We're putting laptops on the domain too. But both laptops and desktops have 
> a local administrator account unique and known to the user.
>
>
> Gary Flynn
> Security Engineer
> James Madison University
>
> <reply top posted thanks to Microsoft Outlook>
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, Bob
> > Sent: Wednesday, September 16, 2009 3:14 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU 
> > Subject: Re: [SECURITY] Local Admin Accounts
> >
> > Everyone is posting some great ideas for handling computers on the
> > domain, but how are you dealing with computers (laptops) that might not
> > be on the domain?  Are you simply giving them an elevated local
> > account, using 2 local accounts (one non-admin and one admin) or
> > something else?
> >
> >
> >
> > Bob Smith
> >
> > Information Security Officer
> >
> > Longwood University
> >
> >
> >
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Strzelec, Wally
> > Sent: Wednesday, September 16, 2009 2:42 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU 
> > Subject: Re: [SECURITY] Local Admin Accounts
> >
> >
> >
> > 1.       We are using Vista in our labs and disable the local
> > Administrator account.
> >
> >
> >
> > 2.         See #4.
> >
> >
> >
> > 3.       We have never had any issues with machines dropping out of the
> > domain.  (2500 machines)
> >
> >
> >
> > 4.       We do not allow anonymous account access, everyone uses their
> > domain account for what they need.  For administrative access we use
> > group policy.  We created an OU that contains groups with the same name
> > as the computer.  A group policy will then add the group %COMPUTERNAM%
> > to the local administrators group.  We simply add the user to the
> > appropriate %COMPUTERNAM% group and they are an Administrator of that
> > and only that machine.  We use the same GPO to remove everyone with the
> > exception of the folks we specify, from all of the groups just in case
> > one of our %COMPUTERNAM% group Administrators decide to add themselves
> > or someone else to something that they should not.
> >
> >
> >
> > 5.       Use the Active Directory and Group Policies.
> >
> >
> >
> > -Wally Strzelec
> >
> >  Computing and information Services
> >
> >  Texas A&M University
> >
> >
> >
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A.
> > Sent: Wednesday, September 16, 2009 1:20 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU 
> > Subject: [SECURITY] Local Admin Accounts
> >
> >
> >
> > I would like to inquire as to what other Universities are doing with
> > regard to local admin accounts in Windows domain.  We are contemplating
> > removing or disabling local administrator accounts across the board and
> > use a Workstation Administrators group in Active Directory.
> >
> >
> >
> > 1.       Has anyone disabled the local Administrator account?
> >
> > 2.       How do you handle when a machine can no longer talk to the
> > network or domain, whether a hardware failure or lost trust?
> >
> > 3.       If a machine loses its trust with the domain, what cause this?
> >
> > 4.       Is there a method of creating a unique password for each
> > machine for the administrator account, or someway of not having to give
> > out one password that gives someone access to anything and everything?
> >
> > 5.       Any other advice?
> >
> >
> >
> > Ronald King
> >
> > Security Engineer
> >
> > Norfolk State University
> >
> > Marie V. McDemmond Center for Applied Research
> >
> > Suite 401
> >
> > 700 Park Ave.
> >
> > Norfolk, Virginia  23504
> >
> > Phone:  757-823-3918
> >
> > Fax: 757-823-2128
> >
> > Email: raking () nsu edu 
> >
> > http://security.nsu.edu