I have setup a few Windows Server 2012 VMs and am experimenting with my first Core install. I intend to manage these servers with Server Manager and PowerShell. As I understand it, I either need to add my user to the local admin group of the remote system or "Manage As" the servers with the domain admin's account. A 3rd option I can see is creating a new account that only has local admin privileges for servers that I will be managing in this way.
Which of the three practices is the most appropriate? (Or is there a better 4th option?)
- Add my user to remote server's local admin group.
- Use Server Manager's "Manage As" option to connect to the remote servers with the domain admin's credentials.
- Create a new user that is only added as the local admin where appropriate and then use "Manage As" to connect.
- Something else?
Best Answer
In an AD domain environment, local accounts are typically frowned upon simply because they're more difficult to manage/keep track of. Once you have too many different local accounts with too many separate passwords on too many servers, you'll start to do inevitable dumb things like keeping track of them all in a spreadsheet, and not changing their passwords in 3 years...
Domain accounts usually keep things much neater.
You can use things like Restricted Groups in Group Policy to keep the local Administrators group of your machines clean and predictable.
If you have a certain group of machines that you need to be an admin of, but you don't need to be admin of every machine in the domain, then by all means, feel free to use Group Policy to add a particular account as an admin to a particular set of machines. For instance, use Group Policy to assign the "Accounting Department Managers" group to the Administrators group on all the machines that reside in the "Accounting Department" OU, etc.
And you are definitely on the right track that remote administration w/ Server Core is the way to go. Less security exposure both in terms of Server Core versions having less surface to attack, but also remote administration allows for network logons, which in themselves give less exposure to attack than a full-blown interactive logon via RDP.
Edit: One last tip... do not use Group Policy Preferences to create net new accounts. That's not secure. Adding existing domain accounts (or groups) to local groups is fine - but don't use GPP to create brand new users with their passwords stored in GPP.