Renaming W2k AD Administrator Account

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have been told by our Auditors to rename the administrator account and
create another Administrator account with no priviledges in its place.

We have 19 servers that log-in as Administrator and have services that
use/run as the Administrator account.

can anyone please let me have or suggest an order that I should tackle this
large change to our AD domain and the servers/services in it?

Thanks.
3 answers Last reply
More about renaming administrator account
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    As you have already discovered, using the same (domain) Administrator account
    to run NT services is not a good idea at all (read: security risk).

    It is best practice to assign an account with the least privileges and
    minimal rights / permissions in order for it to function properly. Create
    "service accounts", remove the "logon locally" rights and deploy them in
    place of the currently Administrator account - a one time effort to replace
    (unavoidable).

    Do let us know if this helps. Thanks.


    "Woodsy" wrote:

    > I have been told by our Auditors to rename the administrator account and
    > create another Administrator account with no priviledges in its place.
    >
    > We have 19 servers that log-in as Administrator and have services that
    > use/run as the Administrator account.
    >
    > can anyone please let me have or suggest an order that I should tackle this
    > large change to our AD domain and the servers/services in it?
    >
    > Thanks.
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > I have been told by our Auditors to rename the administrator account and
    > create another Administrator account with no priviledges in its place.

    Ah...security through obscurity...how pointless.

    A truly useless recommendation that so many people recommend. The
    administrator account has a well-known SID. Which means it's almost
    pointless renaming it!!! All it will do is confuse the admin people.

    As for not running services as administrator, that's a valid point. You
    should specify a specific account, and try and tie it down...


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Woodsy,

    Download the ADMTv2 and use its service accounts tool to look across your
    domain for services that have been set to use built-in accounts for their
    permissions. This is a sneaky way to enumerate these kinds of accounts. As
    a best practice, you should NEVER assign the Administrator account to a
    service -- create an account for each service (or one account for grouped
    services) with only the permissions that it needs to complete its function.

    PT is right with the well-known SID. This is partially circumvented by
    disabling the account but obscurity is never to be confused with security.

    All in all, change things slowly and do testing after each change to verify
    function. The last thing you want is to have to diagnose several problems
    at once.

    --
    Ryan Hanisco
    MCSE, MCDBA
    FlagShip Integration Services
    Chicago, IL

    "Woodsy" <Woodsy@discussions.microsoft.com> wrote in message
    news:DF2585FB-23BF-42CD-B925-A2E79E8A43AC@microsoft.com...
    >I have been told by our Auditors to rename the administrator account and
    > create another Administrator account with no priviledges in its place.
    >
    > We have 19 servers that log-in as Administrator and have services that
    > use/run as the Administrator account.
    >
    > can anyone please let me have or suggest an order that I should tackle
    > this
    > large change to our AD domain and the servers/services in it?
    >
    > Thanks.
Ask a new question

Read More

Active Directory Microsoft Servers Windows