Renaming W2k AD Administrator Account

G

Guest

I have been told by our Auditors to rename the administrator account and
create another Administrator account with no priviledges in its place.

We have 19 servers that log-in as Administrator and have services that
use/run as the Administrator account.

can anyone please let me have or suggest an order that I should tackle this
large change to our AD domain and the servers/services in it?

Thanks.
 
G

Guest

As you have already discovered, using the same (domain) Administrator account
to run NT services is not a good idea at all (read: security risk).

It is best practice to assign an account with the least privileges and
minimal rights / permissions in order for it to function properly. Create
"service accounts", remove the "logon locally" rights and deploy them in
place of the currently Administrator account - a one time effort to replace
(unavoidable).

Do let us know if this helps. Thanks.
 
P

ptwilliams

I have been told by our Auditors to rename the administrator account and
create another Administrator account with no priviledges in its place.
Click to expand...

Ah...security through obscurity...how pointless.

A truly useless recommendation that so many people recommend. The
administrator account has a well-known SID. Which means it's almost
pointless renaming it!!! All it will do is confuse the admin people.

As for not running services as administrator, that's a valid point. You
should specify a specific account, and try and tie it down...


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
 
R

Ryan Hanisco

Woodsy,

Download the ADMTv2 and use its service accounts tool to look across your
domain for services that have been set to use built-in accounts for their
permissions. This is a sneaky way to enumerate these kinds of accounts. As
a best practice, you should NEVER assign the Administrator account to a
service -- create an account for each service (or one account for grouped
services) with only the permissions that it needs to complete its function.

PT is right with the well-known SID. This is partially circumvented by
disabling the account but obscurity is never to be confused with security.

All in all, change things slowly and do testing after each change to verify
function. The last thing you want is to have to diagnose several problems
at once.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD restore questions 5
Creating a new Domain level Admin Account 1
Help! Rename Administrator Account 4
Renaming Admin ID - Making Sys Admins Accountable 3
Domain Administrator Lockout 4
SQL and/or AD Security to Query AD Database? 1
Disabling Administrator Acount 4
Administrator account is not locking out 4

Top