In this article, I wrote about a method for managing Local Administrator accounts using Active Directory security groups. There is one problem with this method, of course, and it’s a whopper. Regardless of how efficiently you manage Local Administrator group membership, every time to add a Local Administrator to your environment, you’re granting the equivalent of a UNIX root account.
There are lots of ways to say it, but it always means the same thing. Local Administrator is root.
In other words, you’re giving away complete control of that computer: operating system, in-memory data, persistent (hard drive) data, application configurations, ports, services, firewall, job scheduler, drivers, and everything else.
It may be for only an hour or so, while an offsite contractor uses the account to reboot a Web service. But that’s an hour in which the system is owned by someone who, in all likelihood, has no business justification for that extraordinary level of privilege.
Centrify Server Suite can help you reduce or eliminate entirely the practice of handing out Local/Domain Administrator accounts to administrators who, in the example I used earlier, just needs to reboot a Web service. Or install an application. Or configure Windows Firewall. Or do pretty much anything that’s needed on a Windows Server.
If you’re interested in learning more about privileged account management and auditing for Windows Server, you can request a trial of Centrify Server Suite for your lab or test environment and see for yourself how you can enable your Windows administrators to do their job without handing out the keys to your IT kingdom.