administrator

[Guest]

Our company had a recent audit and part of the report explain the
administrator accounts needs to renamed and set to change password
I have renamed but I am hesitating on uncheck never change password is there
a link which show why/why not it should be set at never change password


Thanks for the help

 

[Miha Pihler [MVP]]

No, but I can say that this is not a bad policy -- especially if you have
time to prepare for it.

Identify all the services on all servers or client computers that might run
under this account and start running them under another account -- account
that is not member of domain administrators group if possible (give account
only permissions that it needs to run that service - least privilege).

Using a Least-Privileged User Account
http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx

After you do this, you shouldn't have any problems changing Administrator
password regularly.

 

[Guest]

I agree on rename the admin and I even agree of change the password from
time to time.
I guess my question is do leave as never change password and manually change
it which what is what I perfer or have unchecked and it automatically ask
for change in x amount of days.

Let me know

Frank

 

[Roger Abell [MVP]]

Changing the password of accounts regularly is a good thing.
If accounts have become compromised without your knowing it,
a password change can invalidate that compromise (although by
then the damage may be irreversible).

 

[Guest]

Sorry I guess I not make my self clear on the question I am asking.

I agree that change password is good thing and that is not the question

The question is in administrator current seting is never change password as
checked or "on".
So my question is not about changing the password from time to time --- my
question is where I should leave the never change password "on" or "off".

My perfenance is to leave it "on" since I may miss the opportunity to
change on that day and rather change when I have time to test the server.
However I would like a link or other opinion on this matter.


Thanks

Frank

 

[Roger Abell [MVP]]

If an account is not used for running a service then have its password
changed on schedule. You can configure how often that is done and
also how long before the deadline reminders will be presented at login.

 

[Guest]

I guess I disagree with that thinking but I respect your choice. I rather
leave on and set reminder on outlook to remind me to change and then manually
change it, finnaly test by reboot server on that day. Instead of every 30 or
40 , or x amount of days then it must change and by chance miss it and maybe
lock myself out from the account.

That is my 2 cents worth I think at the end of day we both accomplish the
same thing

Thanks

Frank

 

[Steven L Umbach]

You have to be careful for any account that is subject to password maximum
age and is configured for password can not be changed as the user will not
be able to change the password if they wait until the password has expired
and an administrator will have to manually reset the password.

I don't have a link to a recommendation why it should never be used but
generally the password can not be changed attribute is used where users
share an account and do not lock a user out when the password is changed or
when an account is used for services which you would not want to use the
built in administrator account for so I don't see a good reason to implement
it on the built in administrator account. Keep in mind that the can not
change password attribute only prevents the user from "changing" the
password and does not prevent domain level administrators from resetting the
password. --- Steve

 

[Andy]

Our company had a recent audit and part of the report explain the
administrator accounts needs to renamed and set to change password
I have renamed but I am hesitating on uncheck never change password
is there a link which show why/why not it should be set at never
change password

What I have done (which may or may not work for you) is to rename the
account, then disable it.
All domain admins on the network have their own account which makes it
easier to audit who is making what changes.

You could also create another (non admin) disabled account called
Administrator and scan your security logs every now and then for attempts to
use that account.

Andy.