MysticLlama
Golden Member
I want to do something a little strange.
My boss has this crazy thing about the network being useable after someone from IT leaves, or gets ticked and quits, hit by a mack truck, etc.
What we are thinking of setting up is a device level trust that would allow a device (such as a PocketPC) to have full rights to manage a server even if the admin password has been changed.
I don't know if this is even possible or not. I would guess that it could possibly be done with a smart card as the only login to a secure account? I'm not sure how to do it with a regular sort of device though. It seems to me what I'm dealing with is the "I want the key in my hand" mentality.
Another thing is that I tried to make a manager account, and set it up so that the only user with rights to change it was "SELF", but I have a two-server Active Directory setup, and it only lasts like 30 minutes, and then it reverts to regular permissions and administrator can change it again. I'm thinking maybe this has something to do with the directory replication between servers correcting this because it thinks it's wrong? I was thinking if I could build an account like this and my manager had the password, maybe that would suffice, because then someone with admin rights couldn't just go and change it.
Somehow I get the feeling that they were really burned by an IT person in the past, so I'm just looking into the possibilities of something like this.
Any ideas?
My boss has this crazy thing about the network being useable after someone from IT leaves, or gets ticked and quits, hit by a mack truck, etc.
What we are thinking of setting up is a device level trust that would allow a device (such as a PocketPC) to have full rights to manage a server even if the admin password has been changed.
I don't know if this is even possible or not. I would guess that it could possibly be done with a smart card as the only login to a secure account? I'm not sure how to do it with a regular sort of device though. It seems to me what I'm dealing with is the "I want the key in my hand" mentality.
Another thing is that I tried to make a manager account, and set it up so that the only user with rights to change it was "SELF", but I have a two-server Active Directory setup, and it only lasts like 30 minutes, and then it reverts to regular permissions and administrator can change it again. I'm thinking maybe this has something to do with the directory replication between servers correcting this because it thinks it's wrong? I was thinking if I could build an account like this and my manager had the password, maybe that would suffice, because then someone with admin rights couldn't just go and change it.
Somehow I get the feeling that they were really burned by an IT person in the past, so I'm just looking into the possibilities of something like this.
Any ideas?
