 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Windows XP / Setup and Deployment / December 2007Workstation deployment question
Question: I am a Domain Admin in a Server Group and it is time for me to get a new notebook (workstation) again. The OS on the workstation will be either XP or possibly Vista. Every couple of years the Workstation Group comes over and requests my username and password in order to setup my new notebook. The Workstation Group states the following when I express I would rather NOT give them my password. “In order to insure a seamless transition for the client when deploying turnkey replacement equipment, the Workstation Group has customarily requested security credentials. This is necessary because there are a number of applications (core included), that are client profile specific such as Lotus Notes, iHeat, and VPN. Without the credentials, we cannot complete the installation and configurations.” It would seem to me that Microsoft’s Windows must have some workstation creation and deployment method or utility for workstation deployment that does not require a user to provide their password. Especially when you are a Domain Admin and highly sensitive data could be obtained using a Domain Admin account. Can anyone please provide me with some knowledgeable insight so I may champion a change regarding this current company policy? Thanks for your help, > Question: > I am a Domain Admin in a Server Group and it is time for me to get [quoted text clipped - 21 lines] > Can anyone please provide me with some knowledgeable insight so I > may champion a change regarding this current company policy? They could just change your password and give it to you when you need it/when they are done. Although it does simplify things when you know the user's credentials - it is not necessary *if* the user is knowledgable and can finish some of the setup themselves OR the tech support has time/social skills and can sit with the user after their initial setup of the machine (with all software and a decent starting default user profile) and have the user logon as necessary to finish the required setup.  SignatureShenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html This is a routine scenario in my environment. We offer to reset the user password to something and make them aware of the temp password until we notify them that the admin work is complete. Otherwise, they just write the password down or email it to us. This is a horrible practice, I know. How bout shimmy'n over to some of my RIS questions Shenan? Are you available by email by chance? Regards > > Question: > > I am a Domain Admin in a Server Group and it is time for me to get [quoted text clipped - 31 lines] > decent starting default user profile) and have the user logon as necessary > to finish the required setup. Lowdown is that if you give a Domain Admin password (which I assume is what you mean) to an untrusted person, then that person effectively '3wnz' the LAN from that point on. Even if you change the password when they are done, this does not guarantee they haven't created a second Admin user for their own purposes, or installed some kind of backdoor onto the domain controller. Basically, Admin passwords should only be given to a highly-trusted person. Even then, there may be the concern that, even though trustworthy, the person does not realise the significance of what they've been given, and may thus 'leak' the password to other people who are not so trustworthy. I've had this happen, I guess most admins must have at some time, and these days the answer is a resounding 'No' unless I'm satisfied that security will be maintained. > Question: > I am a Domain Admin in a Server Group and it is time for me to get a new > notebook (workstation) again. The OS on the workstation will be either XP or > possibly Vista. Every couple of years the Workstation Group comes over and > requests my username and password in order to setup my new notebook. You shouldn't be using a Domain Admin account as your regular login. > Lowdown is that if you give a Domain Admin password (which I assume is what > you mean) to an untrusted person, then that person effectively '3wnz' the LAN [quoted text clipped - 14 lines] > > possibly Vista. Every couple of years the Workstation Group comes over and > > requests my username and password in order to setup my new notebook. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.