It can be both disabled (supported) and deleted (unsupported, AFAIK undocumented). It SHOULD be disabled, in my opinion. If you delete it, you run the risk of imploding anything that is configured to default to or use that account, so really, don't delete it, even if you figure out how to do it. :-)
Furthermore IMO, every organization using AD should implement RBAC and privileged identity management and have no Domain Admins, Enterprise Admins or Administrators in AD on a day-to-day basis, just in build and break-glass scenarios. Sadly, I rarely see that implemented. Laura A. Robinson -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Shang Tsung Sent: Monday, January 31, 2011 10:58 AM To: [email protected] Subject: Administrator in Domain Admins group After an audit, I noticed that in the Domain Admins group of our domain, there is an account named Administrator. As my engineers told me, this account is created by default when you create a new domain and cannot be deleted or disabled. Is this true? I am not convinced yet. We do not like general purpose accounts like this because we lose accountability. I am pretty sure the password of that account is in the hands of people who are not supposed to have it. Each domain admin has his own account who is in the Domain Admins group, so there is no need for this Administrator account. Can we delete it? And if yes, what would be the consequences? Thanks, Shang Tsung
