IMHO you're solving the wrong problem. The problem is not the Administrator account, it is that Shang Tsung has Domain Administrators he does not trust. There is little point in obfuscating the Administrator account or changing its password when any authenticated user on the Domain will be able to enumerate the members of the Domain Administrators Group. There is little point in disabling it when it can be easily re-enabled by those untrusted Domain Administrators.
What Shang Tsung requires is Delegation of Administration (DofA). This is the application of roles-based administration where each administrator is assigned only the rights that are specifically required to do their job and nothing else. This is achieved by performing a Roles and Responsibilities analysis which maps job functions to administrative access and allows the DofA designer to create appropriate delegations that can be assigned to those job functions. My company has specialised in this for years. As an example; Shang Tsung might identify a requirement for his first-line helpdesk team to be granted the ability to reset the passwords and unlock the accounts of non-privileged users. A role group would be created that has those rights, on specific Organisational Units, and the helpdesk team group would be joined to the role group, thus assigning those rights. This model is built up to include all the administrative staff, so that permanent Domain and Enterprise Administrators no longer exist. Servers are analysed to ensure that no services require the Domain Administrator Account and once the necessary service accounts are implemented, the account password can be changed and stored in a safe under management control. The business can then choose when Domain Administration is actually required and can wrap the requirement in an appropriate change management mechanism. HTH Cheers James D. Stallard -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Sturtz Sent: 31 January 2011 18:16 To: Shang Tsung; [email protected] Subject: RE: Administrator in Domain Admins group The "Built in Administrator" account CAN be deleted however it is strongly cautioned against doing this. One of the reasons is it is the account that is used in safe mode should a disaster occur. If the built in Administrator account is locked out you can reboot the system in safe mode (by hitting the F8 key at startup) and still logon to the account and fix your system. If you delete or remove the built in administrator account you will be unable to logon to the system. I would recommend renaming the built in administrator account to a different name and then creating a new account named Administrator that is not a member of the Administrators or Domain Administrators group and is disabled. This account is a decoy to prevent nuisance attacks on your default administrator account. Michael Sturtz -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Shang Tsung Sent: Monday, January 31, 2011 7:58 AM To: [email protected] Subject: Administrator in Domain Admins group After an audit, I noticed that in the Domain Admins group of our domain, there is an account named Administrator. As my engineers told me, this account is created by default when you create a new domain and cannot be deleted or disabled. Is this true? I am not convinced yet. We do not like general purpose accounts like this because we lose accountability. I am pretty sure the password of that account is in the hands of people who are not supposed to have it. Each domain admin has his own account who is in the Domain Admins group, so there is no need for this Administrator account. Can we delete it? And if yes, what would be the consequences? Thanks, Shang Tsung
