Systems Administrators

E

edicwhun

Weaksauce
Joined
Mar 30, 2006
Messages
93
At my place of work we are currently migrating all of our users from a workgroup over to a domain environment. When in the workgroup environment all users had administrative rights on their computers where as in the new domain everyone will just have user rights, INCLUDING us (the sys admins). This isn't so much of a big deal as we can log in as administrators to do what we need to do to the local machines, but our own login names will only have user rights as well. This will be done so that "everyone is equal", meaning my login name won't be any more "powerful" than Joe User. Is this how others out there administrate their systems and user rights? I don't care so much that this is happening, I just wanted to get a feel for what the "norm" was out there.

Thanks for any replies!
 
Thats a pretty typical setup. Will each admin have a 'normal' user account and an admin account? Or is there just one admin account that you all will use?

Just be careful not to give the users local admin rights on their computers. You will regret it if you do.
 
i dont give my users local log ins to the computer. they only have domain logins. the only local computer log in accounts are strickly for sys admin use. (to fix things add remove computer from domain etc etc.)

you can put certain accounts into the domain admin groups or system admin whatever group you create for them so they can have admin rights even with their normal logins

but generally its not good for all your users to have admin rights to install all kinda crap spy/adware/malware/junk. could bring your network crawling on its knees. but its probably best for the company to do this
 
I only give "power user" access to the people in the field with laptops, internal users are all restricted - including remote locations (wan).
I actually don't even login into the domain with my laptop, so my login isn't a risk at all. I have a seperate system in my office just for monitoring the servers and network with a login that has domain, schema, and enterprise admin rights (and it's locked down - not even inet access).
All the local Admin accounts are secured and I handle all access and restrictions through group policy, never at each client.
I don't know if this is the best setup, but it has worked out pretty well and is pretty secure.
 
BioPort said:
Thats a pretty typical setup. Will each admin have a 'normal' user account and an admin account? Or is there just one admin account that you all will use?

Just be careful not to give the users local admin rights on their computers. You will regret it if you do.
Click to expand...


There will just be one admin account that we all use, that being "administrator" on the local machine. My own specific login will only have user rights along with everyone else. So if I were to log in as myself I would only be a "user", but I can log in as administrator and do what I need to do. The same applies for the DC, we will log in as "administrator".

The reason I asked this question is because at my last employer all the IT personnel had administrative privelages with their specific login without having to log in as "administrator", so since I only had that experience to compare with I just wanted to see what the typical setup was like.
 
In my past jobs the Sys Admin guys had 2 domain accounts. One of the accounts was used for everyday tasks (ie. Checking Email, Surfing the web, etc...) and the other account was for the Administrative accounts.

Please make sure that you rename the "Administrator" account to something less conspicuous. Also, do not make your IT admin accounts stand out (ie. joe.use.admin). It makes them an easy target for attacks.

Hope this helps.
 
You must log in or register to reply here.
Back
Top