I want to make sure that all my servers only have one enabled local administrator account

[Spin]

I want to make sure that all my servers only have one enabled local
administrator account. How can I make a script file which does this?

 

[Michael Holzemer]

Ray,

You need this. You will love it. It has done wonders for me, even on servers
with SCSI arrays.

http://home.eunet.no/~pnordahl/ntpasswd/

 

[Ray at]

All those hacks are fine and dandy if you have time to dick around with
downed servers.

Ray at work

 

[Michael Holzemer]

Wouldn't call 2 reboots dicking around.

--
Regards,

Michael Holzemer

Please reply in newsgroup
*************************************************

 

[Spin]

Why is that? I might use your response as part of a response to my manager
who wants to limit to only one admin account per machine.

--

 

[Michael Holzemer]

Really...

I suppose I should retort that you apparently run a small workgroup and do
not know what a domain is. I do not want a flame war here, just an
understanding. We just have two different views of the same situation. My
assumption is that "users" in this case does not include groups and it is a
domain. I could easily be wrong based on the information from the post.

Just for clarity. I run a 2 tier mission critical data center with fully
redundant load balanced application servers with a clustered back end along
with a corporate network. High availability is my middle name. If I am down
I don't eat.

Think about this. My servers have the domain admins group in the admin group
on all servers. If I were to find a second admin account on a server I would
probably want to terminate the engineer responsible for being careless or
lazy.

 

[Ray at]

I do not want a flame war either.

I'm also in a domain. And as such, I agree that there shouldn't be
additional local admin accounts on the servers. Whether you have a
workgroup server with two admin logons or a domain member server or DC (more
than one), you must have more than one way to log on with administrative
rights. That's all I'm saying.

The majority of the data where I work in stored on an AS/400, so I also know
about uptime. :]

To Spin,

Download the last few thousand posts in a few W2K newsgroups and look at how
many posts there are like, "Someone quit, got fired, died, etc. and no one
has the administrator password. How can we get on our servers?" Don't put
yourself in that situation. To steal someone else's analogy (I don't think
it was in this thread), ask your boss how many sets of keys he has for his
car or house. When he answers with a number greater than 1, ask him why.

Ray at home

Really...

I suppose I should retort that you apparently run a small workgroup and do
not know what a domain is. I do not want a flame war here, just an
understanding. We just have two different views of the same situation. My
assumption is that "users" in this case does not include groups and it is a
domain. I could easily be wrong based on the information from the post.

Just for clarity. I run a 2 tier mission critical data center with fully
redundant load balanced application servers with a clustered back end along
with a corporate network. High availability is my middle name. If I am down
I don't eat.

Think about this. My servers have the domain admins group in the admin group
on all servers. If I were to find a second admin account on a server I would
probably want to terminate the engineer responsible for being careless or
lazy.


--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

You apparently don't have any critical servers then. All I'm saying is that
it is a bad idea to have only one administrative account on a machine.

Ray at work

 

[Don Grover]

Can I add my 2 cents worth,.
Spin Bottom line is follow these rules .
1) Rename Adminstrator account Name
2) Used mixed case & Numbered passwords ie. St1llet0 > 7 characters
3) Have an Emergency Administrator password with 12+ random characters
4) Important too keep a hard copy in safe of all non recoverable passwords
ie.. My Accountant Just Died with the CEO what do I do.

ps. Even is MS Baseline Sec Analyser says You have more than 1 admin user

Of course not all may agree .....
Regards
Don

I do not want a flame war either.

I'm also in a domain. And as such, I agree that there shouldn't be
additional local admin accounts on the servers. Whether you have a
workgroup server with two admin logons or a domain member server or DC (more
than one), you must have more than one way to log on with administrative
rights. That's all I'm saying.

The majority of the data where I work in stored on an AS/400, so I also know
about uptime. :]

To Spin,

Download the last few thousand posts in a few W2K newsgroups and look at how
many posts there are like, "Someone quit, got fired, died, etc. and no one
has the administrator password. How can we get on our servers?" Don't put
yourself in that situation. To steal someone else's analogy (I don't think
it was in this thread), ask your boss how many sets of keys he has for his
car or house. When he answers with a number greater than 1, ask him why.

Ray at home

Really...

I suppose I should retort that you apparently run a small workgroup and do
not know what a domain is. I do not want a flame war here, just an
understanding. We just have two different views of the same situation. My
assumption is that "users" in this case does not include groups and it

is

a
domain. I could easily be wrong based on the information from the post.

Just for clarity. I run a 2 tier mission critical data center with fully
redundant load balanced application servers with a clustered back end along
with a corporate network. High availability is my middle name. If I am down
I don't eat.

Think about this. My servers have the domain admins group in the admin group
on all servers. If I were to find a second admin account on a server I would
probably want to terminate the engineer responsible for being careless or
lazy.


--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup


is
that

even

 

[Michael Holzemer]

I agree with that 100%. In reality I have at least 4 keys to every server. 2
domain admins, the local admin ("in the safe" figuratively), and the magical
original domain admin account (the one really in the safe in case the bus
gets my colleague and I at the same time) so that's the way I tend to
perceive things.

I actually posted that link as a tool for solving the "I lost my password"
dilemma. I should have been clearer as to the purpose of it (you know an FYI
deal as opposed to an answer). The time I needed to use it on a non-critical
Oracle server (that had not been put into the domain and only had 1 admin
account and the guy was no longer with the company. Spin you listening?)
made me swear by it. That's all.

--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

I do not want a flame war either.

I'm also in a domain. And as such, I agree that there shouldn't be
additional local admin accounts on the servers. Whether you have a
workgroup server with two admin logons or a domain member server or DC (more
than one), you must have more than one way to log on with administrative
rights. That's all I'm saying.

The majority of the data where I work in stored on an AS/400, so I also know
about uptime. :]

To Spin,

Download the last few thousand posts in a few W2K newsgroups and look at how
many posts there are like, "Someone quit, got fired, died, etc. and no one
has the administrator password. How can we get on our servers?" Don't put
yourself in that situation. To steal someone else's analogy (I don't think
it was in this thread), ask your boss how many sets of keys he has for his
car or house. When he answers with a number greater than 1, ask him why.

Ray at home

Really...

I suppose I should retort that you apparently run a small workgroup and do
not know what a domain is. I do not want a flame war here, just an
understanding. We just have two different views of the same situation. My
assumption is that "users" in this case does not include groups and it

is

a
domain. I could easily be wrong based on the information from the post.

Just for clarity. I run a 2 tier mission critical data center with fully
redundant load balanced application servers with a clustered back end along
with a corporate network. High availability is my middle name. If I am down
I don't eat.

Think about this. My servers have the domain admins group in the admin group
on all servers. If I were to find a second admin account on a server I would
probably want to terminate the engineer responsible for being careless or
lazy.


--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup


is
that

even

 

[Mark V]

Spin wrote in

Why is that? I might use your response as part of a response to
my manager who wants to limit to only one admin account per
machine.

[ ]

As simple as "Don't keep all yours eggs in one basket" If _anything_
untoward happens to your single and only Administrator account, your're
hosed. (Not counting some password hacks mentioned upthread). I would
always have more than one "local administrator" on a server. It could
be an account that is not in daily use of course. And "secure" by
virtue of a non-obvious accountname and a complex password kept in a
safe. ...

 

[Ray at]

Nice, so then we all agree. Have more than one administrator account
available, and also be aware of what tools are available in a total
emergency. :]

Ray at home

I agree with that 100%. In reality I have at least 4 keys to every server. 2
domain admins, the local admin ("in the safe" figuratively), and the magical
original domain admin account (the one really in the safe in case the bus
gets my colleague and I at the same time) so that's the way I tend to
perceive things.

I actually posted that link as a tool for solving the "I lost my password"
dilemma. I should have been clearer as to the purpose of it (you know an FYI
deal as opposed to an answer). The time I needed to use it on a non-critical
Oracle server (that had not been put into the domain and only had 1 admin
account and the guy was no longer with the company. Spin you listening?)
made me swear by it. That's all.

--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

I do not want a flame war either.

I'm also in a domain. And as such, I agree that there shouldn't be
additional local admin accounts on the servers. Whether you have a
workgroup server with two admin logons or a domain member server or DC (more
than one), you must have more than one way to log on with administrative
rights. That's all I'm saying.

The majority of the data where I work in stored on an AS/400, so I also know
about uptime. :]

To Spin,

Download the last few thousand posts in a few W2K newsgroups and look at how
many posts there are like, "Someone quit, got fired, died, etc. and no

one