Guest pf Posted August 9, 2007 Posted August 9, 2007 This is a question I'm hoping I will get some good input on. For all of our servers we create a generic AD user account, and assign that AD account to the local administrators group on the designated server that it should administer. This way if the user account gets used on any other machine other than the one server it's assigned to, the account only has normal user account rights on the network. Is this an appropiate method for trying to secure servers and the admin rights to them? Is there some other approach we should be using? What about domain controllers, should they be logged in as domain admin?? thanks in advance for any input on this topic.
Guest Lanwench [MVP - Exchange] Posted August 9, 2007 Posted August 9, 2007 Re: Server Logins pf <pf@discussions.microsoft.com> wrote: > This is a question I'm hoping I will get some good input on. > For all of our servers we create a generic AD user account, and > assign that AD account to the local administrators group on the > designated server that it should administer. This way if the user > account gets used on any other machine other than the one server it's > assigned to, the account only has normal user account rights on the > network. > > Is this an appropiate method for trying to secure servers and the > admin rights to them? > Is there some other approach we should be using? > What about domain controllers, should they be logged in as domain > admin?? > > thanks in advance for any input on this topic. The problem with any "generic" account is you can't figure out who did what. I'd look at setting up individual 'engineering' level accounts for these admins (not to be used as 'daily driver' user accounts), and use AD delegation to grant them permissions to only that which they need. Then crank up your auditing via group policy so you have an audit trail.
Recommended Posts