Eliminating Local Administrator
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-10-2022 09:54 AM
We'd like to remove having a local administrator account on our computers but I'm wondering how you might've addressed the issue of SSH/Remote Management/Screen Sharing access in your environments. The obvious answer seems to be a policy to create a temporary Admin and then remove it with another policy when it is done being used, but this isn't viable when there is an immediate need. I'd need to wait for the policy to run before getting access. Thoughts?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-10-2022 11:23 AM
Any thought to leveraging LDAP/Mobile Admin Account?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-10-2022 11:32 AM
It's a good option for a hands-on-keyboard Admin account needs, but it would require someone logging in at least once from the login window before doing an SSH/Screen Sharing session.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-10-2022 11:43 AM
If screen sharing is enabled on those devices you should be able to utilize VNC(Google Chome should still support this I believe). Though that's Mac-Mac and both need to be on the same network as far as I'm aware of. I've had some success with other support tools like Beyond Trust. I'm able to remote in on any platform and because it installs a thin-client it doesn't really matter if the machine is on a different network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-11-2022 06:22 AM
What's prompting the need for an ssh or screen sharing session? The end user or someone in your department logging into an unattended machine, or if this is edu a lab machine? If it's the end user what about placing a policy in Self Service that creates local admin account and gives it access to those two services? You'd have to either move it to a static group that runs a policy to remove it or think up some other way to remove the account after the fact.