Sunday, December 03, 2006

Take Control of High Level Userid's

It's been a while since I published anything so I figured I would drop a quick tip/suggestion for account administration that works well. One of the most overlooked and dangerous habits of system administrators, development staff etc is good plan for safe usage of high access user accounts. Obviously it's bad practice to allow users to perform all of their day to day responsibilities (email, web browsing, etc.) while logged in as an administrator. These accounts should be reserved only for performing the duties in which they were created for. If allowing otherwise, one of your power users users will eventually succumb to a virus or browse some illegitimate website and reak much more havoc on your infrastructure as they potentially would logged in as a normal user.. Not a good plan.

So, how is your staff supposed to do their jobs without having an administrator account? One simple solution that works well is to create two separate accounts for these users. One account should have very minimal access levels allowing just the basics. The users should use these accounts as their login everyday. Make the second id's similar to the first but prefix them with a standard naming convention like "admin" to make them easier to manage. The second id's should have all appropriate permissions for all of the employees tasks.

Now, forcing your users to login and logout all day long will make them go bananas, and truthfully you will not get anyone to abide by this for very long without forcing and denying things link email on the administrator accounts. To make every one's life easier, you could create a batch file for each the users that executes the RUNAS command, and fires up the command prompt running as the admin user.

Example of the batch file contents:
runas /user:domain\administratorid cmd

Drop a shortcut to the batch on their desktops via AD to make it really easy for them. There's also alot of good options in the runas command that you can take advantage of like using alternate profiles if need be.

Now that we have our user logged in with a stripped down account, and they are running the cool custom command prompt as the administrator you should be all set. The user can actually drag and drop any program into this command prompt (Computer manager, SQL manager, etc) and voila - it fires up as the admin account. The user can keep this prompt running all day and use it over and over whenever they need to access an admin level application.

In closing - Having a good, organized strategy for account access is paramount in creating a safe, secure and happy infrastructure.