I know the straight answer to this is “Just don’t do that”, but there are some constraints in place that mean maybe I have no choice.
So we’ve got a department (let’s call it ‘handling’) staffed by half a dozen different people - there is one computer that they all share (and that’s fine in terms of demand - only about 10% of their individual work is done on the computer - the rest is physical process).
So they all log into the PC using a single domain account called ‘handling’ - and that needs to remain the case because:
[li]They all work on one mailbox called Handling@company.com (OK, we could overcome that with a shared mailbox and individual accounts, but…[/li][/ul]
[li]They require access to a specific piece of the production system, that:[/li][ol]
[li]Takes a long time to open and process its initial work (so there are strong desires to open it once in the morning and keeping it open)[/li][li]Cannot be opened by multiple users concurrently (it is locked by the first person who opens it)[/li][li]Cannot even be run in a switched-user environment (the program won’t run in one user session at all if there is another locked session with any part of it running)[/li][li]Isn’t going to be replaced or significantly developed, yet, is critical to the operation of the business[/li][/ul]
I want a way for any of those multiple users to be able to log in, or unlock, the shared ‘handling’ domain account on their shared machine.
The current solution is that the password is taped to the monitor, that neatly solves the problem from the user’s perspective, but of course it means anyone who isn’t one of the correct users can also log in with ease.
Now, please spare me any lectures - I know it’s wrong. I already know how I would do this properly if I was designing everything from scratch. That opportunity is not forthcoming.
I also know the constraints above are a steaming pile of bullshit, but they are real, they are not going away, and I have to slap some kind of sticking-plaster solution in place.
What I think I need is some way of enrolling multiple smart cards or fingerprints against a single Windows domain account - and ideally in a way that provides its own additional layer of auditing.
Does such a thing exist?