Hi!
We manage a small size network and rolled out a couple of MS Surface Laptops within a local domain. The server is a Windows 2012 Sever with AD role. The Surface laptops are part of the local domain. To protect users from installing software the users have restricted user rights. In some cases we would like to provide the Surface and desktop users an temporarily user account with admin rights in case they have to install business critical software. (in consultation)
We have created a second administrator account (Temp Admin) that's disabled by default. In case a user needs to install software, we enable the temp admin account and provide a changed password (on every occasion we change the password). After the installation is completed we disable the temp admin account again.
Question is in the following senario: The Surface laptop are within range of the local network, within range of the local DC, and the laptop user logs on with the temp admin account and installs his desired software. Then the user will logoff and resume working under their own useraccount again (with user rights).
The server administrator then disables the temp admin account on the server (DC).
What happens when the user left the building with there Surface laptops out of range of the local DC and tries to logon with the temp admin account again. In this scenario the Surface laptop is unable to connect to the local DC (because
it’s out of range) and unable to notice (?) the account has been disabled. Does the user in this scenario still has access to the temp admin account using the provided temp login credentials? Because it’s also possible for a domain user to login on there laptop
even when it’s out of the range of the local DC, those this also applies to temp admin accounts? Then it’s would be a bad solution…or is it possible to force a user account that it’s only usable when a DC is in reach?(Disable cachemode?)