G
Guest
We're about to embark upon renaming the Administrator ID and change the
password in a 2000 AD environment. We then were going to make any system
administrator create a separate service admin ID with their name that gives
them domain admin permissions to do their work on AD and the 2000 servers.
However, several of them have pushed back saying they have at least 3 or
four servers that there are critical applications that MUST be run from the
server console. These applications are critical to the business and are
older legacy apps and do NOT run as services. They have to be launched and
always be running. We recommend they launch these from a terminal session
but this domain is running in Administrative mode for terminal services which
leaves only two licenses or connections per box so that takes up one of the
connections.
We suggested creating a backup operator or power user ID for logging into
the console and running these apps...but the Admins came back and argued that
some tasks just HAVE to be performed at the console such as installing McAfee
updates and other software, thus they could not log off the power use to do
such tasks. The console must be logged in with admin permissions.
Any advice out there on how to maintain auditing and accountability for sys
admins by creating their own IDs, renaming the Administrator account but then
also using an ID to log onto a console (not a session) for legacy apps that
must be run this way???
password in a 2000 AD environment. We then were going to make any system
administrator create a separate service admin ID with their name that gives
them domain admin permissions to do their work on AD and the 2000 servers.
However, several of them have pushed back saying they have at least 3 or
four servers that there are critical applications that MUST be run from the
server console. These applications are critical to the business and are
older legacy apps and do NOT run as services. They have to be launched and
always be running. We recommend they launch these from a terminal session
but this domain is running in Administrative mode for terminal services which
leaves only two licenses or connections per box so that takes up one of the
connections.
We suggested creating a backup operator or power user ID for logging into
the console and running these apps...but the Admins came back and argued that
some tasks just HAVE to be performed at the console such as installing McAfee
updates and other software, thus they could not log off the power use to do
such tasks. The console must be logged in with admin permissions.
Any advice out there on how to maintain auditing and accountability for sys
admins by creating their own IDs, renaming the Administrator account but then
also using an ID to log onto a console (not a session) for legacy apps that
must be run this way???