|
Posted by Steven L Umbach on September 26, 2005, 9:00 pm
Please log in for more thread options
You are correct in your concern about using a domain admin account. In my
opinion a domain administrator should never logon to a domain computer that
is not a known secure admin workstation. What you can do is to add a regular
domain user account to the local administrators group on any domain
computer. Then you can logon with that account which would have no special
powers in the domain assuming you do NOT use the same password as you do for
your domain administrator account which again could be used to try and
compromise a domain administrator account as attackers know that users
commonly use the same password for all their user accounts. You can use a
Group Policy "startup" script using the net localgroup command to add a
global group to the local administrators group on domain computers or use
Group Policy Restricted Groups at the Organizational Unit level and the
"member of " [ for W2K SP4] option to add a global group to the local
administrators group on domain computers in that OU. I would also use a
separate global group to manage servers and other critical computers in case
your local administrator password is captured so that it could not be used
on those sensitive computers. The link below explains more about Restricted
Groups. FYI for .msi software packages you can publish them for
users/computers via Group Policy Software Installation to make authorized
software available to domain users that can be installed without the
intervention of an administrator. --- Steve
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
"James Pang" <news.microsoft.com> wrote in message
> we have a small domain, and two system administrator. what we used to do
> is when user call us and say they want a software we go and install it
> with domain admin account. But MS hacker could install a Trojan and
> capture the admin password. so waht is the best do that?
>
> --
> Tech Servant James Pang.
>
| 
XML Sitemap