Administrator and Domain Administrator

From: Jeff (jeff@nospam.com)
Date: 08/12/02 

From: "Jeff" <jeff@nospam.com>
Date: Mon, 12 Aug 2002 14:24:02 -0700

My first obvious question is why do you have numerous
Domain Admins in the first place?

We have 10,000+ users and have only two Domain Admins,
with the domain administrator accounts password locked
away in two different locations in case something would
happen to those two people.

No one here uses the Domain "Administrator" account, and
it would only be used in an emergency, as described
above. Having multiple people with access to this account
provides no means of an audit trail.

I can be wrong, but to my knowledge, there really is no
way to enforce this. What you can do is isolate the
Domain "Administrator" accounts password and give people
who need that authority the rights on their own, or a
separate, userid. (We use our employee id followed by an
X). Obviously, doing it this way, you will be able to
generate an audit trail that you can follow. Sounds to me
like you have too many people who know the
Domain "Administrator" password and are abusing the
privilege. Without an audit trail, you'll never be able
to either.

You'll hear rumblings about this...just as I'm sure I will
when I go to enforce strong passwords across the domain.

>-----Original Message-----
>I've asked this in the past, and have always received a
quasi-general
>response, such as use policies to control the problem.
Please provide a
>specific solution to my question.
>
>The "Domain Admin" can change passwords at will--
including the Administrator
>password. I would like a suggestion on how we can protect
the all-powerful
>Administrator account from having its password 'reset' by
a Domain
>Administrator. It seems foolish to create and enforce a
complex password
>policy for this account when any Domain Admin can simply
change it at his
>will.
>
>--
>David M. Streb, MCSE
>Exiis Communications
>Full Service Network Solutions
>http://www.exiis.net/
>dave@exiis "dot" net
>
>
>
>.
>

Relevant Pages

  • Re: Administrator account / Domian Addmin rights
    ... There is no difference between one Domain Admins member ... sharing an empowered account between people, ... The best thing however is to not provide Domain Admins membership, ... Finally - every administrator should know that changing the password ...
    (microsoft.public.win2000.security)
  • Re: Local admin versus domain admin on windows 2008
    ... with UAC there is a big difference between a user with administrator privilege and "the" administrator account. ... automaticaly becomes member of local administrators group, therefore giving local admin privileges to domain admins. ...
    (microsoft.public.windows.server.general)
  • Re: ADMT v3 - cant migrate SID history
    ... the administrator account in the target domain, and that I have added the ... > add target domain admins to source administrators ...
    (microsoft.public.windows.server.active_directory)
  • Re: Disk Management
    ... You can't delete the built in administrator account. ... reset the password on it being a domain administrator if the domain admins ... > in the local Administrators group on the server. ...
    (microsoft.public.win2000.security)
  • Re: Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... policy to rename the account although it is not really necessary or useful. ... Did I check Group Policies for references to the Administrator ... Failed to perform redirection of folder Desktop. ...
    (microsoft.public.windows.server.general)