I've recently been tasked with setting up Active Directory for my company, which has never used it before. Currently, employees log in with local accounts on their machines, and each shared machine like a server has multiple local accounts for each person. Now that we're moving to M365 and Azure AD, my CTO wants to handle the setup of each user's machine himself. He plans to create an account for each employee, assign a random password, and give it to him to store in LastPass. I'm really skeptical about this approach and think it's a security risk. Am I overreacting, or is this a bad idea?
5 Answers
You're not overreacting; this plan is ridiculous. This isn't how IT security works, especially in a small company. Serious alarms should be raised with higher-ups about this.
It sounds like your CTO might not be considering best practices for user accounts. Users should reset their passwords on first login to something of their choosing. Instead of storing individual passwords in a password manager, you should implement a self-service password reset tool to handle forgotten passwords.
You've got a point there; no one should know anyone else's password. It just leads to unnecessary complications and security risks. It's wild that he wants to do it this way.
Right? It’s just not how secure systems should be run. Passwords are personal to the user, and everyone having their own is key.
Please have a chat with someone about this. It's not okay for a CTO to approach account security this way. Your company needs to adhere to proper security protocols; this could get messy fast if he continues.
This whole plan sounds sketchy. Setting a generic password for everyone that they can change later when needed could be a better choice. That way, if anything goes wrong, the responsibility lies with him, not with the users.
Exactly, storing passwords is risky. While it's understandable to be concerned about password complexity, enforcing good practices like minimum length and character variety will help without needing to track every password.