No, he created LA_<username> account, for example, mine would be LA_jonathan.link.
On Fri, Jun 8, 2012 at 10:23 AM, Ken Schaefer <k...@adopenstatic.com> wrote: > You created a general account? Rather than a specific account for the > user?**** > > ** ** > > In general though, in a small environment I would create a Domain group of > some kind (e.g. Universal or Global). The Domain group would be based on a > business need/business unit/etc. Add that group to the Local Administrators > group on the server. Put an account for that user into that Domain group.* > *** > > ** ** > > Then it becomes easier to track what access the user has – just look at > the group membership of that user.**** > > ** ** > > Cheers**** > > Ken**** > > ** ** > > *From:* David Lum [mailto:david....@nwea.org] > *Sent:* Friday, 8 June 2012 9:11 PM > > *To:* NT System Admin Issues > *Subject:* Reality check**** > > ** ** > > A fellow team member (not an SE, but more of an application owner type of > tech person) needs Local Admin access to a server to install and configure > a new application on it. I understand the need and agree with it.**** > > ** ** > > Instead of just throwing his account into the local admin group on that > server I did the following:**** > > Created a LA-<servername> account (LA= Local Admin) > Created a security group called LA-<servername>_LocalAdmin, added the > above to it**** > > Created a GPO to put said security group into local admins on that server* > *** > > ** ** > > My thinking is **** > > **1. **This keeps him from using his daily account to be local > admin on the box**** > > **2. **I don’t have an individual assignment on that server**** > > ** ** > > In general, I view putting a user specifically into a server’s local group > as the same as putting a user (instead of a group) into the ACL of an NTFS > folder. If said employee leaves, it’s difficult/tedious to see where they > had access TO so we have no idea where their replacement might need to be > added.**** > > ** ** > > However, was that really too much work to give the guy the ability to log > in as local admin?**** > > *David Lum* > Systems Engineer // NWEATM > Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
