Best practice - local administrator account

[SA]

Hi all,
We are moving to AD this summer and I wanted to know if it is best practice
to disable the local administrator account.

Right now I am going to be renaming the account and assigning the account a
complex 14 - character password.

Thanks.

 

[Andrew Hodes]

I can't really recommend this. If for some reason the DC is down or there
is a problem with the machine you would be unable to log in as an admin
without 3rd party software. Correct me if I'm wrong but I don't believe it
is possible to disable the builtin admin account. I would, however,
recommend using a different admin password on the local machine than the DC
so that its mroe difficult to crack the password.

 

[Christoffer Andersson]

Sorry but you can force a disable of the Built-in Administrator and Guest
Account within a GPO.

I recommend this becuse its improve the security in your enviorment. How
ever if a Domani Controller not are availbel at the moment for autanicattion
you will anyway be availbel to logon.

 

[SA]

Thanks for the replies guys.

But if the DC is not available and I disable cached credentials will a
domain user still be able to login.

-SA.

 

[Jimmy Andersson [MVP]]

No.

Regards,
/Jimmy

 

[Brian Desmond [MVP]]

iF the machine loses its acocunt in the domain, you're screwed. Rename the
account, and give it a complex password - you'll be set. One of the things
I've seen done is rename the admin account to something, and then set the
rename guest account policy to "administrator" & disable it. This should at
least temporarily fool someone.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com