Doesn't 2008 R2 AD try to handle this with the "Managed Service Accounts" feature? Having said that, I haven't tried using it yet. We try to apply the principle of least privilege wherever possible. You can use LUA Buglight and process monitor to work out *why *things think they need admin permissions. It's a bit of a hassle but ultimately better. For instance, our users always used to demand admin rights to run AutoCAD, until we worked out they just needed the Create Global Objects user right. A quick GPO update later, and they no longer need admin rights or privilege elevation software.
On 8 June 2010 17:46, David Lum <david....@nwea.org> wrote: > How do you guys handle service accounts that seem to need local admin > perms on server and workstations – I.e., SMS, anti-virus, etc. we currently > have them as domain admins with a “no interactive logon” GPO, but surely > there’s a better way…the only thing that comes to mind is use GPO to make > them local admins on each machine but that’s not much improvement for say, a > DC right? > > *David Lum** **// *SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 *// *(Cell) 503.267.9764 > > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~