Focus on Microsoft
RE: Administrator in Domain Admins group Feb 09 2011 07:03PM
Laura A. Robinson (lrobinson technologist com) (1 replies)
RE: Administrator in Domain Admins group Feb 11 2011 08:39AM
James D. Stallard (james leafgrove com) (1 replies)
...And further to Laura's second point:

The Local Administrator account used on Domain Controllers when logging in using Directory Services Restore Mode (DSRM) has a different password and a different set of rights to the Domain Administrator account. The account is referred to here as the DSRM account.

The password for the DSRM account is set during the DCPROMO process to create the Domain Controller, and is set independently (and often differently) on each individual Domain Controller. These passwords are typically lost!

Windows 2008R2 allows you to automate the changing of these passwords to sync them with password of another account. My personal preference is to hold the Domain Administrator account in trust (as per previous post) and sync the DSRM account password on each Domain Controller with the Domain Administrator account password. This can easily be automated with Group Policy Preference to affect all current and future Domain Controllers.

The DSRM account rights cannot be broken down and delegated, but the passwords can be held in trust to maintain control over the environment by the business - NOT the IT Department. These passwords change rarely, so must be strong enough to resist attack for extended periods. Consider a 25 character passphrase using mixed case, numbers, letters and punctuation as the minimum acceptable length to defend against the current abilities of the password cracker.

Cheers

James

James D. Stallard
Email: james (at) leafgrove (dot) com [email concealed]
Mobile: +44 (0) 7979 49 8880
Skype: JamesDStallard

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Laura A. Robinson
Sent: 09 February 2011 19:04
To: 'Michael Sturtz'; 'Shang Tsung'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Administrator in Domain Admins group

Resending as there was a "failure to act" on the prior post and the points
are valid and important, IMO. :-)

Laura

-----Original Message-----
From: Laura A. Robinson [mailto:lrobinson (at) technologist (dot) com [email concealed]]
Sent: Monday, January 31, 2011 10:04 PM
To: 'Michael Sturtz'; 'Shang Tsung'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Administrator in Domain Admins group

A couple of small corrections-
1. The built-in Administrator account cannot be deleted via normal
mechanisms. Any mechanisms that might work to delete the account would be
unsupported.
2. The Administrator account for the domain and the local Administrator
account for a DC booted into DSRM are not actually the same account.

Thanks,

Laura

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Michael Sturtz
Sent: Monday, January 31, 2011 1:16 PM
To: Shang Tsung; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Administrator in Domain Admins group

The "Built in Administrator" account CAN be deleted however it is strongly
cautioned against doing this. One of the reasons is it is the account that
is used in safe mode should a disaster occur. If the built in
Administrator account is locked out you can reboot the system in safe mode
(by hitting the F8 key at startup) and still logon to the account and fix
your system. If you delete or remove the built in administrator account you
will be unable to logon to the system. I would recommend renaming the built
in administrator account to a different name and then creating a new account
named Administrator that is not a member of the Administrators or Domain
Administrators group and is disabled. This account is a decoy to prevent
nuisance attacks on your default administrator account.
Michael Sturtz

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Shang Tsung
Sent: Monday, January 31, 2011 7:58 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Administrator in Domain Admins group

After an audit, I noticed that in the Domain Admins group of our domain,
there is an account named Administrator. As my engineers told me, this
account is created by default when you create a new domain and cannot be
deleted or disabled. Is this true? I am not convinced yet.

We do not like general purpose accounts like this because we lose
accountability. I am pretty sure the password of that account is in the
hands of people who are not supposed to have it. Each domain admin has his
own account who is in the Domain Admins group, so there is no need for this
Administrator account.

Can we delete it? And if yes, what would be the consequences?

Thanks,
Shang Tsung

[ reply ]
Re: Administrator in Domain Admins group Feb 14 2011 04:51PM
Susan Bradley (sbradcpa pacbell net)


 

Privacy Statement
Copyright 2010, SecurityFocus