Do a domain account as you describe and set the account to expire tomorrow. When they need it you re-enable it and set it to expire again the next day. Still manual intervention on your part but the automatic expire solves the ongoing access issue.
From: David Lum [mailto:david....@nwea.org] Sent: Friday, January 04, 2013 10:41 AM To: NT System Admin Issues Subject: Occasional local admin needed How would you guys handle this? I have a server that the developers use that they occasionally (once a month or so) need local admin access for to install/upgrade an app or feature they use. This is a new-ish server that previously I have just added a user (it's the same one each time) to the local admin group then a week later took them out, but that's cumbersome and I become the single point of failure on remembering to back them out. I could 1. create a special AD account for this user to be local admin, or 2. create an AD group, put this person in it, then GPO that group into local admins on that server. Suggestions? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin