From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jordan, Jason [EPM/AUS]
Sent: Thursday, December 04, 2003 11:14 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir]
We solved this problem is two ways depending on whether the machine being modified is a server or PC.
1. When we have to patch the 250 servers in our datacenter and its going to be too much for the 6 of us administrators to handle in a reasonable amount of time, we bring in members of the helpdesk and add them to the Domain Admins domain group. Of course we work with these guys enough to know that they can be trusted and we remove them as soon as we are done with the patching. There is really no way around this, unless we were to follow something similar to option 2.
2. All of our user's PCs have a domain group called TempPCAdmin that is added to the local Administrators group on the each PC. We do not advertise the existence of this group to our users or the rest of the IT department. 99.999% of the time this domain group has no users in it. When we need to give a helpdesk technician access to a PC, we just add their domain user to this domain group and when they are done we remove them. This way we don't have to give out the local PC's administrator user's password and the technician has the power to do whatever they need to do.
Of course we could eliminate option 1 if we modified all of our servers to have something similar to option 2, but that can take a very long time to do without automated tools and if we had automated tools, then we would not be in the position of needing an option 1 anyways since we could automate patching as well. :-) Such is life when you work at a place that doesn't like to spend money. >:-/
jasonjordan
-----Original Message-----
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Oliver Marshall
Sent: Thursday, December
04, 2003 9:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
No Joke. Its not the best, but then I am taking some assumptions;
1) If he is installing software on each machine individually then it isnt a big setup by any means
2) Adding one user to each machines admin groups could take a while and is a pain, even in small setups.
3) He has a backup admin account that he can use should any numpty change the admin account password
4) The chap in question can be trusted enough to do work on his own machines even if he cant be trusted with a generic password which is the same for all clients (!)
5) There is no other real way of doing this other than making him a member of one of the two admin groups (local or domain)
Based on these assumptions, I'm afraid I stand by my comment. Given the assumed setup I don't see it as too much of risk, and you can always revoke privelages afterwards
-----Original Message-----
From: Douglas
M. Long [mailto:[EMAIL PROTECTED]]
Sent: 04 December 2003 15:32
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir]
I hope that last comment was a joke...as I wouldnt want a "user" to have domain admin rights. If you find a good solution for this, I would be suprised, as I have looked for a better solution than just adding the users domain account to the local admin group and cant find anything. I have been living with all "domain users" being members of their local machine admin group, and just hoping that they dont change the local admin user password. If all you are worried about is keeping the admin password so that you can get into the machine if you need...dont worry, there are always local machine administrator reset programs.
-----Original
Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
Behalf Of Jerry Johnson
Sent: Thursday, December 04, 2003 9:46 AM
To:
[EMAIL PROTECTED]
Subject: [ActiveDir]
Hi
I have a user that needs to be able to install software on 2k and xp clients by visiting each desktop.
All of our clients are setup with the same local admin password and do not want him to know that password.
Is this possible?
He is currently just a domain user.
Thank you
Jerry
Scicom Data Services
Minnetonka,Mn
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/