You're going to create user/id passwords they'll all know anyway to do "runas"?
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, July 19, 2011 10:54 AM To: NT System Admin Issues Subject: RE: non-local admin revisited Create a domain group called IT Local Admins and add the domain IT Admin accounts you create to it. Then add that group to the computers using restricted groups. Remember, restricted groups REPLACES everything in the local admin group when you apply that GPO. It does not add.it replaces. From: David Lum [mailto:david....@nwea.org] Sent: Tuesday, July 19, 2011 1:32 PM To: NT System Admin Issues Subject: RE: non-local admin revisited A local admin account? So 50 IT folks would have 50 different local admin accounts? Other than the deny log on locally what keeps them from creating an admin account while logged in as admin? Win 7 makes alternate credentials easy enough at least. Dave. From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, July 19, 2011 10:20 AM To: NT System Admin Issues Subject: RE: non-local admin revisited +1 From: Don Ely [mailto:don....@gmail.com] Sent: Tuesday, July 19, 2011 1:19 PM To: NT System Admin Issues Subject: Re: non-local admin revisited Provide them with an admin account and show them how to use "run-as"... I also disable logon locally where I can get away with it so they don't cheat... On Tue, Jul 19, 2011 at 10:10 AM, David Lum <david....@nwea.org> wrote: How do you bigger org's handle IT staff (DBA's and the like) not being local admins on their systems? Invariably they are used to throwing on whatever they want and in some ways this helps the Help desk so they're not called to install stuff the user can install. As we move to Windows 7 my recommendation is to yank local admin perms at the same time (yes everyone is local admin on their XP systems currently), but I foresee pushback from Service Desk and IT folks. David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
