Hi All,
This may sound like a strange one but bear with me ! I've tried googling it but nobody else seems to have had this scenario before.
We have a few Application servers in our Enterprise on which we have had to give external vendors admin access in order for them to maintain/manage their application. Most of these guys are fine, but unfortunately there are 1 or 2 that only know their application and don't know much about windows, AD etc.
My fear is that they may decide to create a service account (for example) without telling anybody and running a service under that account (and giving it full admin rights - because that's all they know). We are using restricted groups to control admin access on that server, but these will only get refreshed every 16 hours. So potentially one of these guys could create an account, give it local admin rights, run the service with that account and everything's hunky dory. Then they go home happy, next day the restricted group kicks in, and all of the sudden the service stops working.
This is just one scenario. Another is alot more simple - that they might create a local account with admin access and use this to bypass any restrictions we may have set.
Either way, I don't want this happening. Our guidelines are clear - all accounts must be domain based, even service accounts.
I know I can restrict MMC's, set permissions on who can logon locally, interactively, logon as a service etc. But if possible I'd like to nip this in the bud and just prevent them from creating accounts in the first place. Does anybody know if this is possible? Or will I just have to control this with user rights assignments ?
PS: the above isn't an every day occurrance ... it's just a worse case scenario ... my mind goes into paranoia overdrive sometimes
Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
This may sound like a strange one but bear with me ! I've tried googling it but nobody else seems to have had this scenario before.
We have a few Application servers in our Enterprise on which we have had to give external vendors admin access in order for them to maintain/manage their application. Most of these guys are fine, but unfortunately there are 1 or 2 that only know their application and don't know much about windows, AD etc.
My fear is that they may decide to create a service account (for example) without telling anybody and running a service under that account (and giving it full admin rights - because that's all they know). We are using restricted groups to control admin access on that server, but these will only get refreshed every 16 hours. So potentially one of these guys could create an account, give it local admin rights, run the service with that account and everything's hunky dory. Then they go home happy, next day the restricted group kicks in, and all of the sudden the service stops working.
This is just one scenario. Another is alot more simple - that they might create a local account with admin access and use this to bypass any restrictions we may have set.
Either way, I don't want this happening. Our guidelines are clear - all accounts must be domain based, even service accounts.
I know I can restrict MMC's, set permissions on who can logon locally, interactively, logon as a service etc. But if possible I'd like to nip this in the bud and just prevent them from creating accounts in the first place. Does anybody know if this is possible? Or will I just have to control this with user rights assignments ?
PS: the above isn't an every day occurrance ... it's just a worse case scenario ... my mind goes into paranoia overdrive sometimes
Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
