...And further to Laura's second point: The Local Administrator account used on Domain Controllers when logging in using Directory Services Restore Mode (DSRM) has a different password and a different set of rights to the Domain Administrator account. The account is referred to here as the DSRM account.
The password for the DSRM account is set during the DCPROMO process to create the Domain Controller, and is set independently (and often differently) on each individual Domain Controller. These passwords are typically lost! Windows 2008R2 allows you to automate the changing of these passwords to sync them with password of another account. My personal preference is to hold the Domain Administrator account in trust (as per previous post) and sync the DSRM account password on each Domain Controller with the Domain Administrator account password. This can easily be automated with Group Policy Preference to affect all current and future Domain Controllers. The DSRM account rights cannot be broken down and delegated, but the passwords can be held in trust to maintain control over the environment by the business - NOT the IT Department. These passwords change rarely, so must be strong enough to resist attack for extended periods. Consider a 25 character passphrase using mixed case, numbers, letters and punctuation as the minimum acceptable length to defend against the current abilities of the password cracker. Cheers James James D. Stallard Email: [email protected] Mobile: +44 (0) 7979 49 8880 Skype: JamesDStallard -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Laura A. Robinson Sent: 09 February 2011 19:04 To: 'Michael Sturtz'; 'Shang Tsung'; [email protected] Subject: RE: Administrator in Domain Admins group Resending as there was a "failure to act" on the prior post and the points are valid and important, IMO. :-) Laura -----Original Message----- From: Laura A. Robinson [mailto:[email protected]] Sent: Monday, January 31, 2011 10:04 PM To: 'Michael Sturtz'; 'Shang Tsung'; [email protected] Subject: RE: Administrator in Domain Admins group A couple of small corrections- 1. The built-in Administrator account cannot be deleted via normal mechanisms. Any mechanisms that might work to delete the account would be unsupported. 2. The Administrator account for the domain and the local Administrator account for a DC booted into DSRM are not actually the same account. Thanks, Laura -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Sturtz Sent: Monday, January 31, 2011 1:16 PM To: Shang Tsung; [email protected] Subject: RE: Administrator in Domain Admins group The "Built in Administrator" account CAN be deleted however it is strongly cautioned against doing this. One of the reasons is it is the account that is used in safe mode should a disaster occur. If the built in Administrator account is locked out you can reboot the system in safe mode (by hitting the F8 key at startup) and still logon to the account and fix your system. If you delete or remove the built in administrator account you will be unable to logon to the system. I would recommend renaming the built in administrator account to a different name and then creating a new account named Administrator that is not a member of the Administrators or Domain Administrators group and is disabled. This account is a decoy to prevent nuisance attacks on your default administrator account. Michael Sturtz -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Shang Tsung Sent: Monday, January 31, 2011 7:58 AM To: [email protected] Subject: Administrator in Domain Admins group After an audit, I noticed that in the Domain Admins group of our domain, there is an account named Administrator. As my engineers told me, this account is created by default when you create a new domain and cannot be deleted or disabled. Is this true? I am not convinced yet. We do not like general purpose accounts like this because we lose accountability. I am pretty sure the password of that account is in the hands of people who are not supposed to have it. Each domain admin has his own account who is in the Domain Admins group, so there is no need for this Administrator account. Can we delete it? And if yes, what would be the consequences? Thanks, Shang Tsung
