Focus on Microsoft
Administrator in Domain Admins group Jan 31 2011 03:58PM
Shang Tsung (shangtsung71 gmail com) (3 replies)
RE: Administrator in Domain Admins group Jan 31 2011 07:21PM
Laura A. Robinson (lrobinson technologist com)
RE: Administrator in Domain Admins group Jan 31 2011 06:16PM
Michael Sturtz (Michael Sturtz PACCAR com) (1 replies)
RE: Administrator in Domain Admins group Feb 08 2011 10:16AM
James D. Stallard (james leafgrove com)
RE: Administrator in Domain Admins group Jan 31 2011 06:00PM
Staats, Ryan (ryan staats sno wednet edu)
If you fear it's been compromised, just change the password. The important point to note is that anyone with domain admin credentials can simply modify the password of that account at any time, just as anyone with domain admin credentials can great a dummy account, futz about, and then delete it. If you have no live auditing tools (like me), it'll likely be missed.

The obvious thing to note here is that if you have any other systems relying on that administrator account for credentialing, changing the password would break that. Try as I might, just when I think I've removed its use from every system I have, I find another thing I didn't know someone used it for. We have a problem with domain admins as well... problem is that they're actually granted those permissions intentionally. *sigh*

MS's guide to securing the AD Admin account recommends renaming it to a bogus user account name. : http://technet.microsoft.com/en-us/library/cc700835.aspx

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Shang Tsung
Sent: Monday, January 31, 2011 7:58 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Administrator in Domain Admins group

After an audit, I noticed that in the Domain Admins group of our domain, there is an account named Administrator. As my engineers told me, this account is created by default when you create a new domain and cannot be deleted or disabled. Is this true? I am not convinced yet.

We do not like general purpose accounts like this because we lose accountability. I am pretty sure the password of that account is in the hands of people who are not supposed to have it. Each domain admin has his own account who is in the Domain Admins group, so there is no need for this Administrator account.

Can we delete it? And if yes, what would be the consequences?

Thanks,
Shang Tsung

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus