I'm curious about how your desktop techs gain access to their machines. Do they have a centralized admin account that lets them manage all desktops? Are passwords for each desktop retrieved using LAPS? Or do they happen to know a universal admin password that's on every machine? I'm interested in the various methods being used!
4 Answers
Our techs each have desktop admin accounts that grant access to the machines they work on, but no server access. They primarily use standard accounts for daily tasks. Depending on their responsibilities, they might also have server admin accounts. It’s all about keeping admin access controlled!
In our setup, all techs have standard and admin-level accounts. For desktops, we typically use AutoElevate or LAPSAdmin locally. Admin privileges come into play mainly during remote management tasks, like with PowerShell.
Our standard process involves techs using a primary standard user account and a domain admin account for elevated access. If a device runs into domain issues, we have local admin accounts ready to reconnect.
Same here! If a machine loses its domain connection, we usually go for a complete reimage instead of fiddling with access.
We mainly use LAPS along with Connectwise for accessing desktops. It streamlines the process quite a bit.
I’d be cautious with domain admin accounts for techs. It’s better to create a security group with appropriate permissions and have them use separate accounts for admin tasks.