We are a small company with 15 users which is now setting up its first Active Directory (1 machine with Windows Server 2016 Essentials). I am unsure how to setup a secure environment for my situation in regards of workstation maintenance (and I am also quite new to this topic).
I am the IT-administrator and also manager of the company and I have an employee that helps me in supporting the users with their local machines (lets call him "workstation admin"). We do have complex Excel add-ins, user-specific R-scripts, user-specific non-domain mail accounts, and so on, on our workstations and sometimes the users need IT support to configure it, update it, debug something etc. As the profiles are quite specific, most of the configuration needs to be done within the local user-profile.
For this, the users hand over their logged in computers to the workstation admin, who then takes care of the setup issues (the users then usually go into a meeting or for a coffee etc.). However, I would not like the workstation admin to have access to the SMB shares of sensitive users (accounting, managers, human ressource) during his maintenance work.
At the moment (using a Windows file server, but without a domain) I do the following: I have a logon/logoff script deployed on the machines, so that the users can sign out from the file server and reconnect with a less privileged user, so only "regular" smb-shares appear. The policiy is, that users need to log out via this script before handing over the PC to someone else. When the PC is returned, the users run the login script, which asks for the credentials, for the priviledged SMB shares to return. This turned out to work fine for us.
I am looking for a solution to maintain this type of security level within an active directory architecture and I am wondering what a best-practice solution couuld be (I do assume that other companies have this problem as well). I considere several solutions (additional non-domain fileserver, encryption of the shares, multi-factor authentification etc.) but I did not come to a solution.
Do you have any suggestions for this problem? Thanks!
