cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
278
Views
1
Helpful
3
Replies

PC admin account with more than one user ?

NigelG
Level 1
Level 1

We are new to this so probably a basic question

We have Admin accounts on PC's all called administrator but we want multiple engineers to have the ability to log into those for admin purposes. What's a good way to achieve this. We don't really want unique admin accounts for each possible engineer to log in with. 

These are desktop PC's with local logins not AD etc

Many thanks

2 Accepted Solutions

Accepted Solutions

DuoKristina
Cisco Employee
Cisco Employee

Although in general I would never recommend using a shared administrator account (how do you audit privileged activity by individual admins?), if you must you can associate up to 100 phones or tokens with an individual user in Duo representing your shared credential.

This would look like:

  1. one "administrator" user in Duo
  2. a phone or hardware token for each of the multiple engineers added in Duo and attached to that one "administrator" user
  3. change the autopush default for Duo for Windows Logon so it doesn't automatically send a 2FA request to the first phone attached to the "administrator" user
  4. whomever logs into a Duo-protected Windows system as "administrator" can choose the phone that belongs to them in the Duo 2FA prompt to proceed, or enter the passcode from their hardware token.

Read more in the Duo KB article Can multiple users authenticate with a shared account on a system protected with Duo for Windows Logon? 

Duo, not DUO.

View solution in original post

NigelG
Level 1
Level 1

excellent thanks for the info

View solution in original post

3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

Although in general I would never recommend using a shared administrator account (how do you audit privileged activity by individual admins?), if you must you can associate up to 100 phones or tokens with an individual user in Duo representing your shared credential.

This would look like:

  1. one "administrator" user in Duo
  2. a phone or hardware token for each of the multiple engineers added in Duo and attached to that one "administrator" user
  3. change the autopush default for Duo for Windows Logon so it doesn't automatically send a 2FA request to the first phone attached to the "administrator" user
  4. whomever logs into a Duo-protected Windows system as "administrator" can choose the phone that belongs to them in the Duo 2FA prompt to proceed, or enter the passcode from their hardware token.

Read more in the Duo KB article Can multiple users authenticate with a shared account on a system protected with Duo for Windows Logon? 

Duo, not DUO.

That's worked well - If we want to add offline activation that seems like that is tied to the computer and the 2FA device... would a Yubi key be better?

I've set up offline activation with 1 PC and one of the 2 admin phone numbers .. but with the second phone number can I tie that to offline as well..

NigelG
Level 1
Level 1

excellent thanks for the info

Quick Links