tankman1989
Active Member
- Reaction score
- 5
I have worked for a number of medium to large business and have found a common trend to be very alarming with regards to administrative work by the IT staff.
To start off, all computers have a local administrative account and the local username for that account is Admin and the password is the same on all the machines. Now, all these machines are on a domain, so we then have users who have their domain usernames (stored in AD) and the IT staff has their own usernames with the appropriate permissions and usergroups. In most places I worked, all IT staff were members of the administrators group and domain administrators group, thus enabling them to make changes using their own user profile. There was also a domain account called "Administrator" and this account was a member of just about every group and had full access to everything; the password for this account was known to all IT staff and the account was used 98% of the time to do all admin work!
I have a major problem with the setup of the company above and had I had it my way (I've never gotten past the FNG/low man on totem pole status at any company) I would have done something like this.
-All machines have same local admin account and password.
-All employees have a domain account/username with appropriate permissions. If administrative rights are needed for a specific user, they will be issued another domain account which will have administrative access (so they would have to use a different account to make administrative changes - this is like typing SU in Linux).
-All IT staff will have a plain/standard user domain account which will be used for email, Office, internet, etc. They will also have an individual domain administrator account which they will use to do any administrative work. This way, all administrative work will be able to be tracked instead of all the IT staff using ONE domain account and no one knowing who did what.
What are your thoughts? Does this make sense of did I not think something through. I know there are going to be those of you who say "this is going to take more time" but it should't take too much more and the added benefits of greatly increased security and the ability to actually perform an audit more than makes up for the time issue.
So, what do you think?
To start off, all computers have a local administrative account and the local username for that account is Admin and the password is the same on all the machines. Now, all these machines are on a domain, so we then have users who have their domain usernames (stored in AD) and the IT staff has their own usernames with the appropriate permissions and usergroups. In most places I worked, all IT staff were members of the administrators group and domain administrators group, thus enabling them to make changes using their own user profile. There was also a domain account called "Administrator" and this account was a member of just about every group and had full access to everything; the password for this account was known to all IT staff and the account was used 98% of the time to do all admin work!
I have a major problem with the setup of the company above and had I had it my way (I've never gotten past the FNG/low man on totem pole status at any company) I would have done something like this.
-All machines have same local admin account and password.
-All employees have a domain account/username with appropriate permissions. If administrative rights are needed for a specific user, they will be issued another domain account which will have administrative access (so they would have to use a different account to make administrative changes - this is like typing SU in Linux).
-All IT staff will have a plain/standard user domain account which will be used for email, Office, internet, etc. They will also have an individual domain administrator account which they will use to do any administrative work. This way, all administrative work will be able to be tracked instead of all the IT staff using ONE domain account and no one knowing who did what.
What are your thoughts? Does this make sense of did I not think something through. I know there are going to be those of you who say "this is going to take more time" but it should't take too much more and the added benefits of greatly increased security and the ability to actually perform an audit more than makes up for the time issue.
So, what do you think?
