G
Guest
I have a problem that's been bugging me for years now and I thought I'd run
it up the flagpole to see what kind of ideas I could generate for solutions.
We have a number of remote users and road warriors that travel with laptops
and, more importantly, a pool of loaner units that go out for presentations,
educational events and infrequent travelers.
What I was wondering is, does anyone out there have a solution for safely
granting remote users local administrative rights to a system as needed
without all the headache of managing admin logons and passwords individually
for every remote machine? I've got several conceptual ideas on how this could
be accomplished but few thoughts on how to properly develop and implement.
The best solutions I see are:
-- Creating an administrative user as needed with a script that can be
emailed
to users or sent with laptops that includes a customized expriation or
self
deletion built in.
-- Every laptop would have an administrator account setup with a standard
password which we would give out as needed. The account would expire
after a specific number of logons or after a specific time.
-- An application or script that could grant the user administrative rights
within their own logon simply by providing them with a key that either
changes
or rotates so that it is only good once.
Our current policy is to setup a common local user account on these laptops
with User level permissions. We've always struggled with problems that arise
when users are out of town and need administrative access to accomplish a
task. We've reluctantly had to give them the local admin logon in many cases,
hoping they would just forget it. Then we have to go and change the admin
passwords on all the loaners to keep them secure.
We've been able to work around many of the problems using remote support
such as WebEx support to gain remote control and run whatever procedure was
required using Run as... but when there is no Internet connectivity, this
becomes impossible.
I would like to hear ideas and comments on this from anyone else who has
similar issues. Even if you don't have solutions, perhaps a discussion of
problems, wants and needs will help to generate enough interest to coax
solutions out of the aether. I look forward to your input.
it up the flagpole to see what kind of ideas I could generate for solutions.
We have a number of remote users and road warriors that travel with laptops
and, more importantly, a pool of loaner units that go out for presentations,
educational events and infrequent travelers.
What I was wondering is, does anyone out there have a solution for safely
granting remote users local administrative rights to a system as needed
without all the headache of managing admin logons and passwords individually
for every remote machine? I've got several conceptual ideas on how this could
be accomplished but few thoughts on how to properly develop and implement.
The best solutions I see are:
-- Creating an administrative user as needed with a script that can be
emailed
to users or sent with laptops that includes a customized expriation or
self
deletion built in.
-- Every laptop would have an administrator account setup with a standard
password which we would give out as needed. The account would expire
after a specific number of logons or after a specific time.
-- An application or script that could grant the user administrative rights
within their own logon simply by providing them with a key that either
changes
or rotates so that it is only good once.
Our current policy is to setup a common local user account on these laptops
with User level permissions. We've always struggled with problems that arise
when users are out of town and need administrative access to accomplish a
task. We've reluctantly had to give them the local admin logon in many cases,
hoping they would just forget it. Then we have to go and change the admin
passwords on all the loaners to keep them secure.
We've been able to work around many of the problems using remote support
such as WebEx support to gain remote control and run whatever procedure was
required using Run as... but when there is no Internet connectivity, this
becomes impossible.
I would like to hear ideas and comments on this from anyone else who has
similar issues. Even if you don't have solutions, perhaps a discussion of
problems, wants and needs will help to generate enough interest to coax
solutions out of the aether. I look forward to your input.