Using the Administrator's account or not using it

[r14edge]

Hello,

Me and my boss, had always used the administrator account. I know, its not a
good thing. Since the hiring, I decided, for security purpose, to "eliminate"
this account and added some administrator priviledge to our user account.

What I wish to accomplish with that measure, is to put on track a audit
system. I wish also to create some level of access. Techs will have
shares/folders access only. Network admins, same as techs plus Exchange and
Active Directory. I don't want to use the built-in groups like Domain Admins
or Administrators for the simple reason that I found those groups to powerful.

The point of this post is to know if I'm doing the right thing. I don't have
much experience in account management, but I know that using a generic user
to access all the network resource is not a good thing. Is this something
possible, or I'm wasting my time? If not, can someone indicate me some
websites on how to create a proper account structure and stuff like that.

All comments will be appreciated,

Thank you all,

Fred

 

[Roger Abell [MVP]]

"r14edge" <r14edge@discussions.microsoft.com> wrote in message
news:0643FED5-4436-4E73-9B95-0F45A77DF9BC@microsoft.com...
> Hello,
>
> Me and my boss, had always used the administrator account. I know, its not
> a
> good thing. Since the hiring, I decided, for security purpose, to
> "eliminate"
> this account and added some administrator priviledge to our user account.
>
> What I wish to accomplish with that measure, is to put on track a audit
> system. I wish also to create some level of access. Techs will have
> shares/folders access only. Network admins, same as techs plus Exchange
> and
> Active Directory. I don't want to use the built-in groups like Domain
> Admins
> or Administrators for the simple reason that I found those groups to
> powerful.
>
> The point of this post is to know if I'm doing the right thing. I don't
> have
> much experience in account management, but I know that using a generic
> user
> to access all the network resource is not a good thing. Is this something
> possible, or I'm wasting my time? If not, can someone indicate me some
> websites on how to create a proper account structure and stuff like that.
>
> All comments will be appreciated,
>
> Thank you all,
>

Fred,

There are very many aspects to what you are taking on, but in my opinion
it is a good thing, if I have understood. I recommend that all people have
their own general, day-to-day use account that is just a normal Domain Users
member without any special privileges. If someone had duties that require
extra privileges that have wide access or impact, they should have a
different
account that is to be used only when they need to perform those duties.
Other
people do not like that approach, but I see it as essential given that the
general
day-to-day activities (email, browsing, etc.) are some of the potentially
more
dangerous in today's world, so why have them using empowered accounts then?

For the privileged accounts, determine what are the different tasks people
will
have and what is the minimum power needed for those tasks. Again, these
privileged accounts should not be shared, but uniquely provided to each
person. When you decide to audit actions this is the main way you can hope
to have a trail back to individuals (although a lawyer would poke holes into
such claims with ease - "How do you know someone else was not using it?")

Anyway, that's my take on what I think you were asking.

Roger