AD built in Administrator account options

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

We have a very small AD installation. (2 Servers) Servers were built as w2000
non AD and then upgraded to AD. When accessing the Active Directory Users and
Computers (view advanced) the 'Administrator@xyz.com' account from the domain
controller the following options 'grayed out' under account information for
this one account and therefore cannot be changed:
‘password never expires (which is checked on)’, ‘ store password using
reversible encryption’, ‘account is disabled’, ‘smart card is required for
interactive login’, ‘account is trusted for delegation’, ‘account is
sensitive and cannot be delegated', ‘use DES encryption types for this
account’ and ‘do not require kerberos preauthentication’ The only account
properties that can be changed is ‘User must change password at next login’
and ‘User cannot change password’.

All other accounts, (some are administrator equivalent) do NOT have these
account properties grayed out. If I create a new account with administrator
privileges these account options are again NOT grayed out.

I’m assuming I’m inheriting these restrictions for the original
Administrator account from somewhere, I have review the Domain Controller
Security, Domain Security Policy local security policy and group security
policy and do not see why these options would be grayed out for this one
important account.

Any insite on how to make these account properties accessible of the
Administrator account would be greatly appreciated.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

That is they way the built in administrator account is configured in a W2K
AD domain and can not be changed. Windows 2003 does allow the administrator
account to be disabled to all but safe mode logon. To protect the
administrator account be sure to give it a complex password, and consider
renaming it. Keep in mind that by default it can not be locked out to
network logon and never to local logon to a domain controller. --- Steve




"Susan Wilson" <SusanWilson@discussions.microsoft.com> wrote in message
news:ECCEC528-A6C0-4A8F-96CA-C11B3528E5AF@microsoft.com...
> We have a very small AD installation. (2 Servers) Servers were built as
> w2000
> non AD and then upgraded to AD. When accessing the Active Directory Users
> and
> Computers (view advanced) the 'Administrator@xyz.com' account from the
> domain
> controller the following options 'grayed out' under account information
> for
> this one account and therefore cannot be changed:
> 'password never expires (which is checked on)', ' store password using
> reversible encryption', 'account is disabled', 'smart card is required for
> interactive login', 'account is trusted for delegation', 'account is
> sensitive and cannot be delegated', 'use DES encryption types for this
> account' and 'do not require kerberos preauthentication' The only account
> properties that can be changed is 'User must change password at next login'
> and 'User cannot change password'.
>
> All other accounts, (some are administrator equivalent) do NOT have these
> account properties grayed out. If I create a new account with
> administrator
> privileges these account options are again NOT grayed out.
>
> I'm assuming I'm inheriting these restrictions for the original
> Administrator account from somewhere, I have review the Domain Controller
> Security, Domain Security Policy local security policy and group security
> policy and do not see why these options would be grayed out for this one
> important account.
>
> Any insite on how to make these account properties accessible of the
> Administrator account would be greatly appreciated.
>
>