I help support a large (500+) server environment. We have a security group that periodically needs to do investigations on servers with regards to employee fraud, misuse of equipment, etc. I don't want to give these folks admin rights across every box. Is there an easy way to implement a "firewall" ID that I can turn on only when needed?
Create a domain user account but disable it. Ensure it uses a complex password. Give it membership in the local computer administrators group. When the group needs to check out a server, enable the account. Allow a user to use this account only when necessary. Otherwise they are to use their own account. Be sure to enable the account before use, be sure to reset the password after each use. Also, be sure to log their activity. You may want several of these accounts. Use a special group in which you grant them membership, then the group can be give the local admin access. Since each user has an account, you can maintain accountability.
This Content Component encountered an error
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.