Distributed Administration

  • Thread starter Thread starter Neil
  • Start date Start date
N

Neil

Hello,
I have consolidated NT4 domains into 8 regional
OU's. I have also delegated control of these OU's to
regional admin groups that have been created.

These administrator accounts have the ability to
manage/create users, Sub OU's, DHCP, DNS, etc but are
unable to authorise DNS, DHCP, RAS etc
.....So Far so good

I don't want the administrators to be able to perform
these tasks as their normal desktop account so they need
to login using the new admin accounts.

I'm having a problem trying to figure out the best way for
these admin's to login..... either at their desktop as the
administrators or at the servers?

If they have to login on their desktops, it would mean
that they have to keep login in and out all day. This
wouldn't be popular!

Has anyone already done something like this?

Thanks
Neil
 
Seems to me they could use the runas with the mmc on their
desktop. We do something a little different then that we
use Citrix and publish the mmc. The user authenticates
via Citrix NFuse (Web based) and they can manage from
anywhere. So they could be at a users desktop,
authenticate as themselves and fix it w/o requiring the
user to log off.

Paul Bergson MCT, MCSE, CNE, CNA, CCA
 
I have never been a big fan of the idea that admins should have two
accounts, one for admin work and one for day-to-day user stuff. If a user is
trusted then I give them the permissions required to do their job and let
them get on with it. Administrators should be sufficiently trained to know
that they should use strong passwords and not leave their PC's unlocked when
they are away from the desk. Then they can just install the admin tools on
their PC and get on with the job without any hassle.
 
Swings and roundabouts I suppose.

Personally I don't like the idea of Administrators doing routine tasks (web
browsing, reading email etc) with accounts that have sweeping powers over a
large number of machines. Using the Secondary Logon feature isn't too much
of a hassle and it does mean that you have a little extra protection from
doing something stupid (and let's face it we all do something we didn't
quite mean from time to time!)

Andy
 
Back
Top