7 Replies Latest reply on May 23, 2011 7:32 PM by SafeBoot

    Endpoint Administrator accounts

    epoNovice

      Hi,

       

      We are deploying Endpoint 6.1.  While adding individuals through the Add Local domain users option I want to add  a Administrator account to each PC also so admins can bypass a users endpoint login.

       

      From what I can work out we need to create a EPO Admin account under Active directory.  then use the add group option in endpoint users?  (can you confirm this part?)

       

      Then I'm wondering how to make the password a standard for all admin.  eg - as its using the same policy as a normal users I presume it will start with the default of 1234 and then need to be changed.  I can't see a way to set it to not to prompt for change - is this possible?

       

      Appreciate any help.

       

      (Currently we use utimaco safeguard easy and our admin password can be set to anything and dosn't prompt to chagne at any stage unless we set it.)

        • 1. Re: Endpoint Administrator accounts

          To be compliant with regulations and standard practice, every user should have a unique user name and password, then you assign the appropriate users to devices.

           

          You should never create or use shared accounts for anything.

          • 2. Re: Endpoint Administrator accounts
            epoNovice

            So is the process to create an epo admin group in AD,  Put the administrators normal AD accounts into that group and have the group assigned to each machine?

             

            if so - How is this automated.  I know how to go into endpoint users and manually assign a group with 8000 machines to rollout it needs to be automatic.

             

            cheers

            • 3. Re: Endpoint Administrator accounts

              This would be a bad idea, and very bad security. For a start, do you really have 8000 administrators, and in the life of the machine, do you really think all 8000 of them will need to access it?

               

              Best practice and security regulations teach us to keep the user list of a machine to the smallest practical limit, number, also there's no real difference between an admin and a user - they are just two people after all, so think about the appropriate user list based on the possible population of people actually using a machine.

               

              Even our largest customers seem to be quite happy with local domain users, plus a group of couple of hundred (at most) administrators - after all, if they have never used the machine, the likelyhood of them using it is quite low.

               

              The difference between the two products that's causing confusion is that SGE requires a fixed admin password for the system - that's bad practice (in our opinion) - we let every individual have their own user id and password, because EEPC supports thousands of users (I think SGE supports 16?).

               

              So, every individual in your environment who uses a protected PC should have their own personal user id and password, then you assign them through inheritance as you need.

              • 4. Re: Endpoint Administrator accounts
                epoNovice

                No Sorry misunderstanding.  We will have a group of about 18 who will be in the administrators group but that group will be assigned to 8000 machines along with the individual users.  Hence making this a completely automated process.  I have been looking at the local domain users option to get the individual users on but again we need to have administrators assigned also for trouble shooting and support.

                • 5. Re: Endpoint Administrator accounts

                  just assign the 18 individuals at a higher node point in EPO so they get inhereted by every machine - again I think this is an EEPC/SGE understanding issue - in EEPC, a user is a user, regardless of how many machines you assign them to - an admin called "John", assigned to 8000 machines, is still the same unique John everywhere. If he changes his password on one machine, it will get changed on all 7999 others. There's only one user called "John" no matter how many machines they use.

                   

                  I think in SGE, each machine maintains its own unique user population, so you'd have 8000 different John users - this is NOT how EEPC works.

                   

                  Your implementation engineer, or prof services guy can help you set this up if its not clear though.

                  • 6. Re: Endpoint Administrator accounts
                    epoNovice

                    Ah ok I think I have you now, Just took a look on the EPO console,  I can have the 18 Admin assigned at the higher level of say Workstations in the system tree, then they get inherited by all the machines listed below in the subsequent groups.  That makes sense.    Then they have the same password on all machines no matter which individual client brings them in for support.

                     

                    So final question - wil that effect the admins own machine if he is added using the add local domain users option?

                     

                    Thanks again been very helpfull

                    • 7. Re: Endpoint Administrator accounts

                      nope - he will only get added once.