RE: Helpdesk as local admin

WALI,

By default all users have the right to add 10 machines to the domain.
You can modify the default domain controller policy (not default domain
policy) to change this.

I routinely create a group for adding machines, and delegate the right
to add machines to this group and domain admins, removing authenticating
users. Sometimes office managers need to add machines such as at a
remote site without local help desk staff, and I could add them to this
group without giving them any other help desk level privilege.

In my experience, the help desk staff needs access to the local admin
accounts. So, I cut and pasted a script together that would change the
local admin passwords and would run the script after any IT personnel
left.

Local admin passwords on the laptops/desktops should certainly be
different than the local admin passwords on your servers.

Walking around the building, I would sometimes hear the users mention
the local admin password and using it to do something they otherwise
couldn't.

I would have to review with the help desk staff the importance of
keeping this password known only to their group, but invariably the help
desk staff would give the password out to users who had ran into an
issue while out of the office. Usually, this was the screen saver
lockout coming on during a Power Point presentation.

So, periodically, I would change the local admin password even if no-one
had left. Also, I created a group that wouldn't apply the screen saver
lockout and asked secretaries to let me know if an exec was traveling so
I could drop them in that group.

Kind Regards,
Scott Ramsdell

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of WALI
Sent: Saturday, February 03, 2007 7:59 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Helpdesk as local admin

Hi Guys..

So what's the defined best practise regarding HelpDesk personnel be
given/told local admin account names and passwords on users
PC/Workstations
in order to undertake routine fault finding and applications
installation?

Help Desk techies also regularly inserts new workstations into the
domain
hence they need certain privileges to be able to make new workstations
join
the domain. What could be the most secure way given the fact that
Servers
are running Win 2k3 and client machines are a combination of WinXP and
Win2k.

Relevant Pages

  • Re: SBS2003 Client Setup Wizard Problem
    ... On the problematic machines, I wonder if the Domain Users group ... any user logging into these machines can run the script (i.e, ... local admin group in order to succesfully run the client setup wizard ...
    (microsoft.public.windows.server.sbs)
  • Re: localgroup administrators
    ... to be a local admin on these 5 machines and not the rest and alice to ... local admin only on her machine, ... if poster simply wants to reset the membership ... of the machine local Administrators group on many machines to the ...
    (microsoft.public.windows.group_policy)
  • Re: localgroup administrators
    ... to be a local admin on these 5 machines and not the rest and alice to be ... local admin only on her machine, ... if poster simply wants to reset the membership ... admins to local group administrators on workstations. ...
    (microsoft.public.windows.group_policy)
  • Re: localgroup administrators
    ... to be a local admin on these 5 machines and not the rest and alice to be ... local admin only on her machine, ... if poster simply wants to reset the membership ... admins to local group administrators on workstations. ...
    (microsoft.public.windows.group_policy)
  • RE: Local admin account reset
    ... "Ian Van Wyck" wrote: ... This is handy for resetting local admin passwords from a ... What can a poor fool do to reset the local admin account password on ...
    (microsoft.public.windows.server.sbs)