Question - Built-in Domain Administrator account

B

BobD

<cross-posted to win2000.active_directory, *.general,
*.security>

Have a client that has added the built-in domain
administrator account to the built-in Domain Admins Global
Security Group. The built-in administrator account is also
in the Domain Local Administrators group. I don't think
this is right but I also don't see any particular issues
with the practice other than possible unneeded redundancy.

Any good wisdom regarding this or MS based tech references
to justify my position?

Thanks -

roberto
(please respond to the group)
 
S

Steven L Umbach

The domain admins group is also in the local administrators group on all domain
computers by default. By adding the administrator to the domain admins group, then
"the" administrator can also manage all computers in the domain. If that is what they
want, I don't see the harm as long as other security measures are in place to protect
accounts with domain administrator powers, particularly complex passwords. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD built in Administrator account options 1
How to secure the Administrator account? 7
Methods for Recovering Administrator Accounts 2
How to disable domain administrator get local administrators group ? 3
Disable Administrator Login in a W2K Domain 6
Default domain permissions 4
domain administrator account password reset problem 2
Domain Admins can't manage computers 3

Top