The title may be slightly misleading but I'm interested in best practices for delegating administrative access for two different scenarios:
- giving developers local administrative access to certain development servers
Initially I would just add the dev's AD account to the local Administrators group but this strategy quickly becomes difficult to manage. My second thought was to create a security group, add all developers to it and assign that group under the local Administrators group on the few development servers which they need access to. Please point out any problems with this strategy or if there is a better/easier/more standardized method.
And the second:
- currently I am the only one who holds domain admin privledges. I am planning on locking away an envelope with passwords so that the company is not dead in the water if I get hit by a car (or some such accident occurs). My immediate concern however is my ability to take a vacation and delegate control to my boss for the duration of my absense.
Best Answer
Always create groups and assign rights to the groups, never people. Then assign/remove people from the groups. This is a Best Practice that will make your life much easier down the road.
As your business grows in size you can delegate control of a group to a manager through built-in tools in Windows to allow the manager to add/remove people. You keep the access restricted and remove some of the work you have to do.
The second part of your question should actually be a question by itself because the answers are different. I create secondary administrative accounts for selected people who are my backup )if necessary). This is not a day-to-day use account (no email, etc) but it does have elevated rights in the domain. if I am going to be out of town or otherwise out of the office for an extended period of time I can activate these admin accounts and let my backup handle things.
You can also delegate control of rights such as "reset password" to manager/team leads so people do not have to contact you directly for that.