in an enviroment where there is like 3 servers , server 1 DC with AD and Dhcp,dns 2 file storage 3 windows sql all the serveres are joined to the domain so the administrator password of server 1 can open all the other servers where there is important data and stuff but the i.t guys always need the administrator password to do any thing in the users PCs so what is the right way to manage a windows server environment like this or in general how does i.t departments work in small/midsize business sorry for my weak english and sorry if iam saying anything crazy , iam just a pro-user who got an i.t job and i think everything is wrong in this place and ((maybe)) i can fix it
9
-
This question should include more details and clarify the problem.– RamhoundCommented Apr 5, 2021 at 17:58
-
iam really sorry i said that iam new to i.t jobs . if you want a direct Q i just want to make the i.t department work without the administrator password of the DC– RyleCommented Apr 5, 2021 at 18:04
-
Why? There are functions an IT Administrator performs daily that can only be done with a privileged user account. Sounds like you should gain more experience before you make suggestions to your companies workflow. If you are as new as you sound, based on your description and the terms you used (specifically those you didn't use), expect your suggestions to be ignored.– RamhoundCommented Apr 5, 2021 at 18:05
-
yeah no doubt someone must have it i just want to achieve that where only one person or maybe tow to have the DC admin Pass and not every one in the i.t department– RyleCommented Apr 5, 2021 at 18:17
-
Why? How many Administrators you required as a company entirely depend on the number of unprivileged users you have. You have not listed a good reason for wanting to change your companies current workflow. Honestly, the entire question is unclear, and has numerous grammatical errors that make it almost unreadable.– RamhoundCommented Apr 5, 2021 at 18:26
|
Show 4 more comments
1 Answer
should all the i.t employees have the administrator password of the windows server DC to get the job done?
No only people responsible for the server and with authority to grant permissions should have the DC password. This should only be 2 or 3 people in case one sick,on vacation, or otherwise not available. Even then every person should have there OWN login and should use it exclusively so whatever they do can be audited.
Generally domains admins use there authority to create local admin account for IT to use. Either that or they are given there own domain account with PC admin privileges and not domain level permissions.
-
oh thanks ....so the local administrator account is what they must use , its disabled on most of the PCs !! and they are using the DC administrator account when they want to work on somthing :v– RyleCommented Apr 5, 2021 at 18:54
-
@Ryle Each user should have his own AD account so for example if you had John Doe you could have JDadmin for the username. In addition John Doe would have an ordinary account for his regular work say doej. However, even that account should not have full domain controller access unless it absolutely necessary. This way every thing can be audited. Commented Apr 5, 2021 at 19:22