Question:
I am a Domain Admin in a Server Group and it is time for me to get a new
notebook (workstation) again. The OS on the workstation will be either XP or
possibly Vista. Every couple of years the Workstation Group comes over and
requests my username and password in order to setup my new notebook.
The Workstation Group states the following when I express I would rather
NOT give them my password. “In order to insure a seamless transition for the
client when deploying turnkey replacement equipment, the Workstation Group
has customarily requested security credentials. This is necessary because
there are a number of applications (core included), that are client profile
specific such as Lotus Notes, iHeat, and VPN. Without the credentials, we
cannot complete the installation and configurations.”
It would seem to me that Microsoft’s Windows must have some workstation
creation and deployment method or utility for workstation deployment that
does not require a user to provide their password. Especially when you are a
Domain Admin and highly sensitive data could be obtained using a Domain Admin
account.
Can anyone please provide me with some knowledgeable insight so I may
champion a change regarding this current company policy?
jd wrote:
> Question:
> I am a Domain Admin in a Server Group and it is time for me to get
> a new notebook (workstation) again. The OS on the workstation will
> be either XP or possibly Vista. Every couple of years the
> Workstation Group comes over and requests my username and password
> in order to setup my new notebook.
>
> The Workstation Group states the following when I express I would
> rather
> NOT give them my password. "In order to insure a seamless
> transition for the client when deploying turnkey replacement
> equipment, the Workstation Group has customarily requested security
> credentials. This is necessary because there are a number of
> applications (core included), that are client profile specific such
> as Lotus Notes, iHeat, and VPN. Without the credentials, we cannot
> complete the installation and configurations."
>
> It would seem to me that Microsoft's Windows must have some
> workstation creation and deployment method or utility for
> workstation deployment that does not require a user to provide
> their password. Especially when you are a Domain Admin and highly
> sensitive data could be obtained using a Domain Admin account.
>
> Can anyone please provide me with some knowledgeable insight so I
> may champion a change regarding this current company policy?
They could just change your password and give it to you when you need
it/when they are done.
Although it does simplify things when you know the user's credentials - it
is not necessary *if* the user is knowledgable and can finish some of the
setup themselves OR the tech support has time/social skills and can sit with
the user after their initial setup of the machine (with all software and a
decent starting default user profile) and have the user logon as necessary
to finish the required setup.
We offer to reset the user password to something and make them aware of the
temp password until we notify them that the admin work is complete.
Otherwise, they just write the password down or email it to us. This is a
horrible practice, I know.
How bout shimmy'n over to some of my RIS questions Shenan? Are you
available by email by chance?
Regards
"Shenan Stanley" wrote:
> jd wrote:
> > Question:
> > I am a Domain Admin in a Server Group and it is time for me to get
> > a new notebook (workstation) again. The OS on the workstation will
> > be either XP or possibly Vista. Every couple of years the
> > Workstation Group comes over and requests my username and password
> > in order to setup my new notebook.
> >
> > The Workstation Group states the following when I express I would
> > rather
> > NOT give them my password. "In order to insure a seamless
> > transition for the client when deploying turnkey replacement
> > equipment, the Workstation Group has customarily requested security
> > credentials. This is necessary because there are a number of
> > applications (core included), that are client profile specific such
> > as Lotus Notes, iHeat, and VPN. Without the credentials, we cannot
> > complete the installation and configurations."
> >
> > It would seem to me that Microsoft's Windows must have some
> > workstation creation and deployment method or utility for
> > workstation deployment that does not require a user to provide
> > their password. Especially when you are a Domain Admin and highly
> > sensitive data could be obtained using a Domain Admin account.
> >
> > Can anyone please provide me with some knowledgeable insight so I
> > may champion a change regarding this current company policy?
>
> They could just change your password and give it to you when you need
> it/when they are done.
>
> Although it does simplify things when you know the user's credentials - it
> is not necessary *if* the user is knowledgable and can finish some of the
> setup themselves OR the tech support has time/social skills and can sit with
> the user after their initial setup of the machine (with all software and a
> decent starting default user profile) and have the user logon as necessary
> to finish the required setup.
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>
>
Lowdown is that if you give a Domain Admin password (which I assume is what
you mean) to an untrusted person, then that person effectively '3wnz' the LAN
from that point on. Even if you change the password when they are done, this
does not guarantee they haven't created a second Admin user for their own
purposes, or installed some kind of backdoor onto the domain controller.
Basically, Admin passwords should only be given to a highly-trusted person.
Even then, there may be the concern that, even though trustworthy, the person
does not realise the significance of what they've been given, and may thus
'leak' the password to other people who are not so trustworthy. I've had this
happen, I guess most admins must have at some time, and these days the answer
is a resounding 'No' unless I'm satisfied that security will be maintained.
"jd" wrote:
> Question:
> I am a Domain Admin in a Server Group and it is time for me to get a new
> notebook (workstation) again. The OS on the workstation will be either XP or
> possibly Vista. Every couple of years the Workstation Group comes over and
> requests my username and password in order to setup my new notebook.
You shouldn't be using a Domain Admin account as your regular login.
"Anteaus" wrote:
> Lowdown is that if you give a Domain Admin password (which I assume is what
> you mean) to an untrusted person, then that person effectively '3wnz' the LAN
> from that point on. Even if you change the password when they are done, this
> does not guarantee they haven't created a second Admin user for their own
> purposes, or installed some kind of backdoor onto the domain controller.
>
> Basically, Admin passwords should only be given to a highly-trusted person.
> Even then, there may be the concern that, even though trustworthy, the person
> does not realise the significance of what they've been given, and may thus
> 'leak' the password to other people who are not so trustworthy. I've had this
> happen, I guess most admins must have at some time, and these days the answer
> is a resounding 'No' unless I'm satisfied that security will be maintained.
>
> "jd" wrote:
>
> > Question:
> > I am a Domain Admin in a Server Group and it is time for me to get a new
> > notebook (workstation) again. The OS on the workstation will be either XP or
> > possibly Vista. Every couple of years the Workstation Group comes over and
> > requests my username and password in order to setup my new notebook.
>
Workstation deployment question 
Linear Mode
