Each person will have a separate account for administrative functions, and whenever they need to perform those functions, they'll use RUNAS with the admin-level account...
We do it differently (at my current location). IT members have Win7 and have local admin access of their own machines, but with UAC enabled at the default level. Domain Admin access, however, requires a separate account. * * *ASB* *http://about.me/Andrew.S.Baker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jul 19, 2011 at 4:00 PM, Ray <rz...@qwest.net> wrote: > You’re going to create user/id passwords they’ll all know anyway to do > “runas”? **** > > ** ** > > *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org] > *Sent:* Tuesday, July 19, 2011 10:54 AM > > *To:* NT System Admin Issues > *Subject:* RE: non-local admin revisited**** > > ** ** > > Create a domain group called IT Local Admins and add the domain IT Admin > accounts you create to it. Then add that group to the computers using > restricted groups. Remember, restricted groups REPLACES everything in the > local admin group when you apply that GPO. It does not add…it replaces.*** > * > > ** ** > > *From:* David Lum [mailto:david....@nwea.org] > *Sent:* Tuesday, July 19, 2011 1:32 PM > > *To:* NT System Admin Issues > *Subject:* RE: non-local admin revisited**** > > ** ** > > A local admin account? So 50 IT folks would have 50 different local admin > accounts? Other than the deny log on locally what keeps them from creating > an admin account while logged in as admin?**** > > ** ** > > Win 7 makes alternate credentials easy enough at least…**** > > ** ** > > Dave.**** > > ** ** > > *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org] > *Sent:* Tuesday, July 19, 2011 10:20 AM > > *To:* NT System Admin Issues > *Subject:* RE: non-local admin revisited**** > > ** ** > > +1**** > > ** ** > > *From:* Don Ely [mailto:don....@gmail.com] > *Sent:* Tuesday, July 19, 2011 1:19 PM > > *To:* NT System Admin Issues > *Subject:* Re: non-local admin revisited**** > > ** ** > > Provide them with an admin account and show them how to use "run-as"... I > also disable logon locally where I can get away with it so they don't > cheat...**** > > On Tue, Jul 19, 2011 at 10:10 AM, David Lum <david....@nwea.org> wrote:*** > * > > How do you bigger org’s handle IT staff (DBA’s and the like) not being > local admins on their systems? Invariably they are used to throwing on > whatever they want and in some ways this helps the Help desk so they’re not > called to install stuff the user can install.**** > > **** > > As we move to Windows 7 my recommendation is to yank local admin perms at > the same time (yes everyone is local admin on their XP systems currently), > but I foresee pushback from Service Desk and IT folks…**** > > *David Lum* > Systems Engineer // NWEATM > Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** > > **** > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
