Hi,
We have a system that requires often vendors to have local administrator access on the servers in the network.
The scenario is as follow. Vendor A has local admin access to 10 servers, now and then vendor A needs help from vendor B, and they need local admin access also. So we have created a group in AD that is called "Admin Access Vendor B" and this group is added to the local administrator group on all 10 servers. Usually this group is empty, but when vendor A needs help from vendor B, we populate the group "Admin Access Vendor B" with users from vendor B, so now they have admin access to all 10 servers until we remove them from the group.
We are not sure if this is the best way to go, since we then often have a lot of empty groups added to the local administrators groups on many servers, but as long as there are no users in this groups i guess its ok ? I guess if someone should be able to add them self to the group, well then they have admin access on the domain...
Another thing could be a solution is to have some kind of time limit on the accounts added to the local administrator group. Say that you add "Admin Access Vendor B" to the local administrators group on all 10 servers, but this group will automatically be removed from the local administrators group after 2 days.... is there any solution like this ? or other suggestions....
Thanks for answers.
/Regards Andreas