Workstation deployment question

[jd]

Question:
I am a Domain Admin in a Server Group and it is time for me to get a new
notebook (workstation) again. The OS on the workstation will be either XP or
possibly Vista. Every couple of years the Workstation Group comes over and
requests my username and password in order to setup my new notebook.

The Workstation Group states the following when I express I would rather
NOT give them my password. “In order to insure a seamless transition for the
client when deploying turnkey replacement equipment, the Workstation Group
has customarily requested security credentials. This is necessary because
there are a number of applications (core included), that are client profile
specific such as Lotus Notes, iHeat, and VPN. Without the credentials, we
cannot complete the installation and configurations.â€

It would seem to me that Microsoft’s Windows must have some workstation
creation and deployment method or utility for workstation deployment that
does not require a user to provide their password. Especially when you are a
Domain Admin and highly sensitive data could be obtained using a Domain Admin
account.

Can anyone please provide me with some knowledgeable insight so I may
champion a change regarding this current company policy?

Thanks for your help,

 

[Shenan Stanley]

Question:
I am a Domain Admin in a Server Group and it is time for me to get
a new notebook (workstation) again. The OS on the workstation will
be either XP or possibly Vista. Every couple of years the
Workstation Group comes over and requests my username and password
in order to setup my new notebook.

The Workstation Group states the following when I express I would
rather
NOT give them my password. "In order to insure a seamless
transition for the client when deploying turnkey replacement
equipment, the Workstation Group has customarily requested security
credentials. This is necessary because there are a number of
applications (core included), that are client profile specific such
as Lotus Notes, iHeat, and VPN. Without the credentials, we cannot
complete the installation and configurations."

It would seem to me that Microsoft's Windows must have some
workstation creation and deployment method or utility for
workstation deployment that does not require a user to provide
their password. Especially when you are a Domain Admin and highly
sensitive data could be obtained using a Domain Admin account.

Can anyone please provide me with some knowledgeable insight so I
may champion a change regarding this current company policy?

They could just change your password and give it to you when you need
it/when they are done.

Although it does simplify things when you know the user's credentials - it
is not necessary *if* the user is knowledgable and can finish some of the
setup themselves OR the tech support has time/social skills and can sit with
the user after their initial setup of the machine (with all software and a
decent starting default user profile) and have the user logon as necessary
to finish the required setup.

 

[sysbuilder]

This is a routine scenario in my environment.

We offer to reset the user password to something and make them aware of the
temp password until we notify them that the admin work is complete.

Otherwise, they just write the password down or email it to us. This is a
horrible practice, I know.

How bout shimmy'n over to some of my RIS questions Shenan? Are you
available by email by chance?

Regards

 

[Anteaus]

Lowdown is that if you give a Domain Admin password (which I assume is what
you mean) to an untrusted person, then that person effectively '3wnz' the LAN
from that point on. Even if you change the password when they are done, this
does not guarantee they haven't created a second Admin user for their own
purposes, or installed some kind of backdoor onto the domain controller.

Basically, Admin passwords should only be given to a highly-trusted person.
Even then, there may be the concern that, even though trustworthy, the person
does not realise the significance of what they've been given, and may thus
'leak' the password to other people who are not so trustworthy. I've had this
happen, I guess most admins must have at some time, and these days the answer
is a resounding 'No' unless I'm satisfied that security will be maintained.

 

[raideray]

You shouldn't be using a Domain Admin account as your regular login.