Disabling Administrator Acount

[jamestulloch]

Hello All,

The best practise for securing AD is to disable the administrator
acount. Clearly you will need in advance to have created a sufficient
number of other administrators so that you reduce the chance of
locking yourself out completely.


However, are there other issues that you might run into. Is the
administrator account referenced directly anywhere, on the box, in
the
regsitry or within AD that could cause issues.


I have created a user account with the same group membership as
"administrator" but still occassionally have problems that seem to
point towards permissions issues.


Any thoughts?


Cheers


James

 

[Herb Martin]

Hello All,

The best practise for securing AD is to disable the administrator
acount. Clearly you will need in advance to have created a sufficient
number of other administrators so that you reduce the chance of
locking yourself out completely.

That's not a best practice. In fact, don't do it.

If you use account lockout (and you should as THIS is a best
practice) then an attack can lock out EVERY account.

Even renaming the admin account is an old recommendation that
no longer is worth the trouble (hackers know the well-known SID
and can come at it that way.)

However, are there other issues that you might run into. Is the
administrator account referenced directly anywhere, on the box, in
the
regsitry or within AD that could cause issues.


I have created a user account with the same group membership as
"administrator" but still occassionally have problems that seem to
point towards permissions issues.


Any thoughts?

Don't do it.

Give the admin account a LONG, COMPLEX password and don't
use it day to day. Write down that password and lock it in a
safe place.

 

[Paul Bergson [MVP-DS]]

Leave the administrator account alone.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Herb Martin]

Leave the administrator account alone.

Put down the administrator account and step away from the computer. <grin>

 

[Jorge de Almeida Pinto [MVP - DS]]

you can disable the default administrator account using a GPO linked to the
domain. When the DC is booted into normal mode the GPO applies and the
account is disabled. When booting into safe with networking the GPO does not
apply and the account is enabled giving you the chance to use it for
whatever reason

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx