Eliminating Local Administrator

VT-Vincent
New Contributor III

We'd like to remove having a local administrator account on our computers but I'm wondering how you might've addressed the issue of SSH/Remote Management/Screen Sharing access in your environments. The obvious answer seems to be a policy to create a temporary Admin and then remove it with another policy when it is done being used, but this isn't viable when there is an immediate need. I'd need to wait for the policy to run before getting access. Thoughts?

4 REPLIES 4

DA2022
New Contributor III

Any thought to leveraging LDAP/Mobile Admin Account?

VT-Vincent
New Contributor III

It's a good option for a hands-on-keyboard Admin account needs, but it would require someone logging in at least once from the login window before doing an SSH/Screen Sharing session.

DA2022
New Contributor III

If screen sharing is enabled on those devices you should be able to utilize VNC(Google Chome should still support this I believe). Though that's Mac-Mac and both need to be on the same network as far as I'm aware of. I've had some success with other support tools like Beyond Trust. I'm able to remote in on any platform and because it installs a thin-client it doesn't really matter if the machine is on a different network.

mainelysteve
Valued Contributor II

What's prompting the need for an ssh or screen sharing session? The end user or someone in your department logging into an unattended machine, or if this is edu a lab machine? If it's the end user what about placing a policy in Self Service that creates local admin account and gives it access to those two services? You'd have to either move it to a static group that runs a policy to remove it or think up some other way to remove the account after the fact.