Re: Re: Securing workstations from IT guys

<snip>
#2 If IT does not know the local admin password, how can they do their job, 
patching & maintaining the PC. Realistically, there shouldn't be any HR related 
applications that absolutely require end users to use the Admin ID to do their 
job. And there is no other reason for user to know admin password.</snip>

Where I work we use images from our corporate parent. We install them over the 
network, leaving the "admin" account password as it was set by corporate, which 
allows them to push updates they have tested for conflicts. AFAIK only the 
people who make the images and the Landesk software know that password. The 
local techs have two accounts, a "normal" account and a "shortname" account 
with full admin privileges. Normally the tech will login with the normal 
account, but when there is a need to install software or do anything else 
requiring admin rights the shortname is used. The shortname accounts are 
monitored more closely than the normal accounts, and any tech abusing his 
position will be dealt with appropriately.