Sign in with
Sign up | Sign in
Your question

Renaming W2k AD Administrator Account

Tags:
  • Active Directory
  • Microsoft
  • Servers
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
March 16, 2005 8:01:04 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have been told by our Auditors to rename the administrator account and
create another Administrator account with no priviledges in its place.

We have 19 servers that log-in as Administrator and have services that
use/run as the Administrator account.

can anyone please let me have or suggest an order that I should tackle this
large change to our AD domain and the servers/services in it?

Thanks.

More about : renaming w2k administrator account

Anonymous
March 16, 2005 8:15:55 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

As you have already discovered, using the same (domain) Administrator account
to run NT services is not a good idea at all (read: security risk).

It is best practice to assign an account with the least privileges and
minimal rights / permissions in order for it to function properly. Create
"service accounts", remove the "logon locally" rights and deploy them in
place of the currently Administrator account - a one time effort to replace
(unavoidable).

Do let us know if this helps. Thanks.


"Woodsy" wrote:

> I have been told by our Auditors to rename the administrator account and
> create another Administrator account with no priviledges in its place.
>
> We have 19 servers that log-in as Administrator and have services that
> use/run as the Administrator account.
>
> can anyone please let me have or suggest an order that I should tackle this
> large change to our AD domain and the servers/services in it?
>
> Thanks.
Anonymous
March 16, 2005 11:58:32 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> I have been told by our Auditors to rename the administrator account and
> create another Administrator account with no priviledges in its place.

Ah...security through obscurity...how pointless.

A truly useless recommendation that so many people recommend. The
administrator account has a well-known SID. Which means it's almost
pointless renaming it!!! All it will do is confuse the admin people.

As for not running services as administrator, that's a valid point. You
should specify a specific account, and try and tie it down...


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
Anonymous
March 17, 2005 1:32:04 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Woodsy,

Download the ADMTv2 and use its service accounts tool to look across your
domain for services that have been set to use built-in accounts for their
permissions. This is a sneaky way to enumerate these kinds of accounts. As
a best practice, you should NEVER assign the Administrator account to a
service -- create an account for each service (or one account for grouped
services) with only the permissions that it needs to complete its function.

PT is right with the well-known SID. This is partially circumvented by
disabling the account but obscurity is never to be confused with security.

All in all, change things slowly and do testing after each change to verify
function. The last thing you want is to have to diagnose several problems
at once.

--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Chicago, IL

"Woodsy" <Woodsy@discussions.microsoft.com> wrote in message
news:D F2585FB-23BF-42CD-B925-A2E79E8A43AC@microsoft.com...
>I have been told by our Auditors to rename the administrator account and
> create another Administrator account with no priviledges in its place.
>
> We have 19 servers that log-in as Administrator and have services that
> use/run as the Administrator account.
>
> can anyone please let me have or suggest an order that I should tackle
> this
> large change to our AD domain and the servers/services in it?
>
> Thanks.
!