Creating a new Domain level Admin Account

[Guest]

We want to change out domain administrator account to give it a new name and
better password. The problem is that over the years, I know that the
administrator account is the logon account for some services and also is used
for authentication for our tape backup jobs...I'm also pretty sure that it is
used elsewhere, but would have to research that.

My thought was to create a new domain administrator account with a
non-obvious name and highly-complex password and to go through each server
examing the services and jobs that use the default administrator account and
change it to the new one. Then, when I'm pretty sure that I've found
everything, I'd change the name of the default administrator account and give
it a highly-complex password. We would continue to use this newly name
default administrator account for logging in for domain things, and the new
administrator account that I create for things like applications and services
that need that level of access.

I have two questions. First, does this seem like a reasonable solution?
Second, how is this best done so that the new administrator has all the
rights and premissions that the default one has?

Thanx...Jon

 

[Herb Martin]

We want to change out domain administrator account to give it a new name
and
better password. The problem is that over the years, I know that the
administrator account is the logon account for some services and also is
used
for authentication for our tape backup jobs...I'm also pretty sure that it
is
used elsewhere, but would have to research that.

There is no true extra security unless you fix that password
too.

Bite the bullet, change the password, find the misconfigured
services and give them their own accounts with randomized
20-character, complex passwords.

My thought was to create a new domain administrator account with a
non-obvious name and highly-complex password and to go through each server
examing the services and jobs that use the default administrator account
and
change it to the new one.

Most/many services should actually have their OWN SPECIFIC
accounts. Then when you need to change one of them you don't
have to change them all.

Then, when I'm pretty sure that I've found
everything, I'd change the name of the default administrator account and
give
it a highly-complex password.

20-characters too.

Changing the Admin account name is of only limited actual
security value since the SID is well known.

We would continue to use this newly name
default administrator account for logging in for domain things,

"We" -- EACH Admin should also have their own Admin account
(as well as a "regular account" for normal work.) Admin
accounts should generally NOT be shared.

and the new
administrator account that I create for things like applications and
services
that need that level of access.

And each of these should have their own too.

I have two questions. First, does this seem like a reasonable solution?

Not quite complete but on the right path.

Second, how is this best done so that the new administrator has all the
rights and premissions that the default one has?

COPY the old admin account. Do not try to create it fresh.

Not all services even NEED an admin account either. Some
do, some don't.