Server Logins

[pf]

This is a question I'm hoping I will get some good input on.
For all of our servers we create a generic AD user account, and assign that
AD account to the local administrators group on the designated server that it
should administer. This way if the user account gets used on any other
machine other than the one server it's assigned to, the account only has
normal user account rights on the network.

Is this an appropiate method for trying to secure servers and the admin
rights to them?
Is there some other approach we should be using?
What about domain controllers, should they be logged in as domain admin??

thanks in advance for any input on this topic.

 

[Lanwench [MVP - Exchange]]

pf <pf@discussions.microsoft.com> wrote:
> This is a question I'm hoping I will get some good input on.
> For all of our servers we create a generic AD user account, and
> assign that AD account to the local administrators group on the
> designated server that it should administer. This way if the user
> account gets used on any other machine other than the one server it's
> assigned to, the account only has normal user account rights on the
> network.
>
> Is this an appropiate method for trying to secure servers and the
> admin rights to them?
> Is there some other approach we should be using?
> What about domain controllers, should they be logged in as domain
> admin??
>
> thanks in advance for any input on this topic.

The problem with any "generic" account is you can't figure out who did what.
I'd look at setting up individual 'engineering' level accounts for these
admins (not to be used as 'daily driver' user accounts), and use AD
delegation to grant them permissions to only that which they need. Then
crank up your auditing via group policy so you have an audit trail.