Groups vs. Computer Management
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Groups vs. Computer Management

  1. #1
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718

    Groups vs. Computer Management

    I just have a question for anyone whose interested:
    When it comes to client-end administrative rights, are you guys more apt to create special-case groups on the server, then transfer them to the client machine (so that some users can have administrative rights) or do you prefer to use the "My Computer -> Manage -->Connect to a computer" option to connect to a client directly via the server and change user rights (add them temporarily to the administrator group on the local machine), perform whatever tasks you/they need to do, then remove them from the administrative group on the local machine.
    Curious what you guys think.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  2. #2
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    742
    I guess the first question is why do they need temp admin rights? If its for software installs you should be handling that at a Help Desk/ IT level, not the end user. That you can evaluate the software before allowing it. Same with any other installation that would require admin rights on a box.

    In our architecture there are groups to be able to do anything. We have a group if a user wants to be able to burn cds, one if they need to use floppies, etc. Everything is locked down to a group. Albeit there are very few exceptions where a user is added as a local admin but anything else we will login or Run As in order to accomplish what they need.

    So does that answer the question?
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi ShagDevil the stock answer is that users don't get admin rights. They should only be able to do exactly what they need to do to perform their duties to the organisation.

    Firstly, there is no way I would put 50 senior managers' personal assistants in a "special case group"

    That would be more for "power users" such as R&D guys, designers and so on. But only in the kind of case where they used specialist software that they were more qualified to administer.

    I would haul others into my project room, log them in as an admin on one of my boxes, and make them do whatever under the supervision of myself or one of my staff.

    I am of the same mind as Spyrus ..................why would the question arise?

    Now, I take a hard line with everyone on this in development situations. If I need you to have admin rights it should be on a development system, NOT a production one. OK so you need two machines............if you can't understand that, maybe you should not be doing what you are doing?............ I have never had any problems with getting the right equipment to carry out development projects.

    I suggest that you need to ask whether this is a production environment or a development one, in the first instance?

    Just a few thoughts
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    before you decide what is better, the first place to stop is at your organizational security policy. Then take a look at requirements. After that, then evaluate choices.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    there are very few exceptions where a user is added as a local admin but anything else we will login or Run As in order to accomplish what they need
    Well, here's the thing. We basically give our users very limited rights. This really poses no problems for the most part. For software installations/network issues we can login or use runas but, here's my theory.
    We can create groups on the server, allowing us to perform administrative tasks on each client computer yadda yadda. But, We like to keep our clients machines clean of accounts and we try not to populate AD with all kinds of groups. Basically, we have 2 accounts on each client machine: the local administrator and a roaming account (for whoever is using the machine). We can easily log-in using the roaming Admin account or we can use runas but, it can be a pain in the ass if you only need to do something trivial. Especially with our systems because logon/logoff are fairly slow due to the complexity of the software we are using on each client.
    For example, let's say I need to go in and adjust a few network settings, and maybe change a few running processes, and maybe delete a file or two. Logging off and back on is a royal pain in the ass, using runas is ok but, can be a yet another royal pain in the ass depending on what I need to do.
    What I noticed, is that going on to the server and using the Manage option works quick, and easily. I connect to their PC, give them Admin rights locally, do what I need to do, then remove them from the Admin group (locally). No extra groups, no change to their account, no logging off, no changes to the AD. It just seems so damn easy.
    But, yes lol, you did answer my question. This is purely a opinion based thread to see how other Admins handle their daily work. Basically, I look for ideas and what better way than asking how other people go about their business.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    AhHa! ShagDevil , now I understand you!

    Well, isn't that just what a lot of malware is looking for?

    I was thinking more of users actually needing the admin rights themselves , rather than you using it as an administrative shortcut.

    I would strongly recommend that you suburdinate your administrative convenience to sound security policy.

    I would question this "software" that is causing all the problems................... I have never encountered such a problem
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    I think Horse came up with the best point - take all of your requirements in to consideration.

    People are very quick to jump on the users should not be admins band wagon as this is the general consensus, normally these people have not administered a domain and probably never will otherwise they would know that in reality not every network is the same and not all requirements are the same. On some networks it may make perfect sense to give a certain user admin rights and on others it may not.

    But back to your question - I had a similar problem in my last job and the method you are using is the one I decided to adopt! Like you said it's so damn easy and quick - I used to do it a different way until someone booted from a live cd on a laptop and cachedumped the admin password.... which is what made me start doing it the way you do!
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  8. #8
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    742
    Understanding what you are basing your question on... I still stand by my original post but we use an application called Switch User (su.exe). How it works:

    I remote into a PC using a seperate application (Remotely Anywhere, any will work)
    I launch su.exe
    input my information.
    ***The original user is still logged in***
    a new desktop comes up (much like a remote desktop would)
    I am then able to make any changes I need as an admin.
    When finished I go to start logoff and it returns to the users desktop

    Works great, as easy as your method, maybe maybe not but I don't need to login to 2 systems to get the job done
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  9. #9
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Appreciate all the responses. This is pretty much what I was looking for. Everyone has a different train of thought (as they should) and hearing the different perspectives helps me figure out the best possible way to approach network management. There were things mentioned I never thought about and well, that's the beauty of threads like this. It's like having a bunch of network admins on tap (and I don't have to fork out any money).
    as quoted from Guinness "brilliant!"
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Originally posted here by Spyrus
    Understanding what you are basing your question on... I still stand by my original post but we use an application called Switch User (su.exe). How it works:

    I remote into a PC using a seperate application (Remotely Anywhere, any will work)
    I launch su.exe
    input my information.
    ***The original user is still logged in***
    a new desktop comes up (much like a remote desktop would)
    I am then able to make any changes I need as an admin.
    When finished I go to start logoff and it returns to the users desktop

    Works great, as easy as your method, maybe maybe not but I don't need to login to 2 systems to get the job done
    Before I ask my questions, I want you to know that I'm asking for informational purposes, not to put you on the hot seat.

    Now, when you say that you have a third party remote control app listening on each workstation, do all of them have the same credentials for sign in? I nearly choked a few admins for this.

    Next, you mentioned that you run the su.exe program when you login remotely. By your description, it sounds like the local user has rights to execute that app. Is this the case?

    More or less, I rained fire down from the sky on poor desktop management practices. The biggest issue I came across is end users having rights to install any app they like. When you look back to our policy, they have no need to do this because we only support the core business apps. If you look at our helpdesk calls, 60% are for apps that are outside the supported suite. Now, let's not even get into the various security issues of people installing vulnerable versions of real player, winamp, etc., especially when they end up on disk images.

    So again, I always use policy and requirements as my weapon of choice. Then I move on to the technical specifics.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides