AD Local Admins without password sharing

Posted by Cocoabean on Server Fault See other posts from Server Fault or by Cocoabean
Published on 2012-03-16T22:03:16Z Indexed on 2012/03/19 10:07 UTC
Read the original article Hit count: 202

Filed under:

My team is building out an Active Directory environment in a small grad school with support for general computer labs, and staff/faculty machine and account management.

We have a team of student consultants that are hired to do general help desk work. As of now we have a local admin account on every machine. It has the same password and all of us know it. I know it's not best practice and I want to avoid this with the new setup. We want to have local admin accounts in case there are network issues that prevent AD authentication, but we do not want this account to be generic with a shared password. Is there a way we can get each machine to cache the necessary information to authenticate a group of local admins so that if AD is somehow inaccessible, student consultants can still login with their AD admin accounts?

© Server Fault or respective owner

Related posts about active-directory