Well from what I've understood, I dont think your secret administrator is going to be useful in scenarios where you get issues with token limits. In those instances, the only account that is guaranteed to work is the default built-in administrator account. Even if its disabled, you can still use it in Safe mode with Networking. Check
http://www.microsoft.com/downloads/details.aspx?familyid=22dd9251-0781-42e6-9346-89d577a3e74adisplaylang=en
for details.Instead you should look to reducing the number of domain administrators in the domain and limiting them to a few trusted users. Auditing will show when passwords are changed on the default administrator account.
HTHM@On 8/4/06, Isenhour, Joseph [EMAIL PROTECTED] wrote:
What is the general consensus on the use of back up admin accounts?This is an account that is hidden to most users and has elevatedprivileges in the domain.The purpose of the account is to be able toquickly react to an attack on the Domain Admin accounts either by a
malicious user, or a bug in a process.The built in Administrator account is a huge target and it's easy tofind even if you rename it.It can't be deleted but the password can bechanged which can cause a lot of trouble.That's why I'm starting to
think about this.ThanksList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
