Renaming Admin ID - Making Sys Admins Accountable

G

Guest

We're about to embark upon renaming the Administrator ID and change the
password in a 2000 AD environment. We then were going to make any system
administrator create a separate service admin ID with their name that gives
them domain admin permissions to do their work on AD and the 2000 servers.

However, several of them have pushed back saying they have at least 3 or
four servers that there are critical applications that MUST be run from the
server console. These applications are critical to the business and are
older legacy apps and do NOT run as services. They have to be launched and
always be running. We recommend they launch these from a terminal session
but this domain is running in Administrative mode for terminal services which
leaves only two licenses or connections per box so that takes up one of the
connections.

We suggested creating a backup operator or power user ID for logging into
the console and running these apps...but the Admins came back and argued that
some tasks just HAVE to be performed at the console such as installing McAfee
updates and other software, thus they could not log off the power use to do
such tasks. The console must be logged in with admin permissions.

Any advice out there on how to maintain auditing and accountability for sys
admins by creating their own IDs, renaming the Administrator account but then
also using an ID to log onto a console (not a session) for legacy apps that
must be run this way???
 
P

Paul Bergson

These legacy apps are a danger to your network security. Why would they
possibly need Domain Admin credentials, I don;t believe they need that.
Find out what particular permission set they really need and then log these
machines on that way. They probably need access to resources on other
machines and the EASIEST way has been to just give these apps Domain Admin
privileges. What if someone wrote a script to create an account in one of
these apps that created an admin account or elevated someone to admin
status, etc... Get rid of these apps running as admin and do as you
suggested.

Also if you were to migrate these boxes to server 2003 you could mstsc
/console and remotely run the console and still keep your two sessions up
and running.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
G

Guest

Paul,

Thanks. I think their point was that these apps dont necessarily need
domain admin credentials to run...but that they need to be launched somehow
from the server. Once they login and launch the application, they stated
they then need to be able to administer the server from the console as well
to do administrative tasks at the box as well. They couldnt just log off
that power user to do admin tasks because the apps have to always be running.
These are member servers on a 2003 domain.
 
P

Paul Bergson

If they are 2003 member servers then you have remote access via the /console
switch.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

2000 Domain Admin Best Practices 2
AD permission for admins 3
Enterprise Admins 2
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Adding local admin from a second server, to the domain admin on ou 1
Remote Desktop to Server for non-Domain Admin 2
Local Admin Remote Destop Assistance 0
CD cannot be read / Session ID 0 2

Top