Focus on Microsoft
RE: Administrator in Domain Admins group Feb 09 2011 07:03PM
Laura A. Robinson (lrobinson technologist com) (1 replies)
Resending as there was a "failure to act" on the prior post and the points
are valid and important, IMO. :-)

Laura

-----Original Message-----
From: Laura A. Robinson [mailto:lrobinson (at) technologist (dot) com [email concealed]]
Sent: Monday, January 31, 2011 10:04 PM
To: 'Michael Sturtz'; 'Shang Tsung'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Administrator in Domain Admins group

A couple of small corrections-
1. The built-in Administrator account cannot be deleted via normal
mechanisms. Any mechanisms that might work to delete the account would be
unsupported.
2. The Administrator account for the domain and the local Administrator
account for a DC booted into DSRM are not actually the same account.

Thanks,

Laura

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Michael Sturtz
Sent: Monday, January 31, 2011 1:16 PM
To: Shang Tsung; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Administrator in Domain Admins group

The "Built in Administrator" account CAN be deleted however it is strongly
cautioned against doing this. One of the reasons is it is the account that
is used in safe mode should a disaster occur. If the built in
Administrator account is locked out you can reboot the system in safe mode
(by hitting the F8 key at startup) and still logon to the account and fix
your system. If you delete or remove the built in administrator account you
will be unable to logon to the system. I would recommend renaming the built
in administrator account to a different name and then creating a new account
named Administrator that is not a member of the Administrators or Domain
Administrators group and is disabled. This account is a decoy to prevent
nuisance attacks on your default administrator account.
Michael Sturtz

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Shang Tsung
Sent: Monday, January 31, 2011 7:58 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Administrator in Domain Admins group

After an audit, I noticed that in the Domain Admins group of our domain,
there is an account named Administrator. As my engineers told me, this
account is created by default when you create a new domain and cannot be
deleted or disabled. Is this true? I am not convinced yet.

We do not like general purpose accounts like this because we lose
accountability. I am pretty sure the password of that account is in the
hands of people who are not supposed to have it. Each domain admin has his
own account who is in the Domain Admins group, so there is no need for this
Administrator account.

Can we delete it? And if yes, what would be the consequences?

Thanks,
Shang Tsung

[ reply ]
RE: Administrator in Domain Admins group Feb 11 2011 08:39AM
James D. Stallard (james leafgrove com) (1 replies)
Re: Administrator in Domain Admins group Feb 14 2011 04:51PM
Susan Bradley (sbradcpa pacbell net)


 

Privacy Statement
Copyright 2010, SecurityFocus