Focus on Microsoft
RE: Administrator in Domain Admins group Feb 09 2011 07:03PM
Laura A. Robinson (lrobinson technologist com) (1 replies)
RE: Administrator in Domain Admins group Feb 11 2011 08:39AM
James D. Stallard (james leafgrove com) (1 replies)
Re: Administrator in Domain Admins group Feb 14 2011 04:51PM
Susan Bradley (sbradcpa pacbell net)
The Lazy Admin : Sync DSRM and Domain Admin Passwords:
http://thelazyadmin.com/blogs/thelazyadmin/archive/2009/02/27/sync-dsrm-
and-domain-admin-passwords.aspx

Server 2008 can do it as well with a hotfix.

On 2/11/2011 12:39 AM, James D. Stallard wrote:
> ...And further to Laura's second point:
>
> The Local Administrator account used on Domain Controllers when logging in using Directory Services Restore Mode (DSRM) has a different password and a different set of rights to the Domain Administrator account. The account is referred to here as the DSRM account.
>
> The password for the DSRM account is set during the DCPROMO process to create the Domain Controller, and is set independently (and often differently) on each individual Domain Controller. These passwords are typically lost!
>
> Windows 2008R2 allows you to automate the changing of these passwords to sync them with password of another account. My personal preference is to hold the Domain Administrator account in trust (as per previous post) and sync the DSRM account password on each Domain Controller with the Domain Administrator account password. This can easily be automated with Group Policy Preference to affect all current and future Domain Controllers.
>
> The DSRM account rights cannot be broken down and delegated, but the passwords can be held in trust to maintain control over the environment by the business - NOT the IT Department. These passwords change rarely, so must be strong enough to resist attack for extended periods. Consider a 25 character passphrase using mixed case, numbers, letters and punctuation as the minimum acceptable length to defend against the current abilities of the password cracker.
>
> Cheers
>
> James
>
> James D. Stallard
> Email: james (at) leafgrove (dot) com [email concealed]
> Mobile: +44 (0) 7979 49 8880
> Skype: JamesDStallard
>
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Laura A. Robinson
> Sent: 09 February 2011 19:04
> To: 'Michael Sturtz'; 'Shang Tsung'; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Administrator in Domain Admins group
>
> Resending as there was a "failure to act" on the prior post and the points
> are valid and important, IMO. :-)
>
> Laura
>
> -----Original Message-----
> From: Laura A. Robinson [mailto:lrobinson (at) technologist (dot) com [email concealed]]
> Sent: Monday, January 31, 2011 10:04 PM
> To: 'Michael Sturtz'; 'Shang Tsung'; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Administrator in Domain Admins group
>
>
> A couple of small corrections-
> 1. The built-in Administrator account cannot be deleted via normal
> mechanisms. Any mechanisms that might work to delete the account would be
> unsupported.
> 2. The Administrator account for the domain and the local Administrator
> account for a DC booted into DSRM are not actually the same account.
>
> Thanks,
>
> Laura
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
> Behalf Of Michael Sturtz
> Sent: Monday, January 31, 2011 1:16 PM
> To: Shang Tsung; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Administrator in Domain Admins group
>
> The "Built in Administrator" account CAN be deleted however it is strongly
> cautioned against doing this. One of the reasons is it is the account that
> is used in safe mode should a disaster occur. If the built in
> Administrator account is locked out you can reboot the system in safe mode
> (by hitting the F8 key at startup) and still logon to the account and fix
> your system. If you delete or remove the built in administrator account you
> will be unable to logon to the system. I would recommend renaming the built
> in administrator account to a different name and then creating a new account
> named Administrator that is not a member of the Administrators or Domain
> Administrators group and is disabled. This account is a decoy to prevent
> nuisance attacks on your default administrator account.
> Michael Sturtz
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
> Behalf Of Shang Tsung
> Sent: Monday, January 31, 2011 7:58 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Administrator in Domain Admins group
>
> After an audit, I noticed that in the Domain Admins group of our domain,
> there is an account named Administrator. As my engineers told me, this
> account is created by default when you create a new domain and cannot be
> deleted or disabled. Is this true? I am not convinced yet.
>
> We do not like general purpose accounts like this because we lose
> accountability. I am pretty sure the password of that account is in the
> hands of people who are not supposed to have it. Each domain admin has his
> own account who is in the Domain Admins group, so there is no need for this
> Administrator account.
>
> Can we delete it? And if yes, what would be the consequences?
>
> Thanks,
> Shang Tsung
>
>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus