Re: Domain Administrators Account

From: serverguy (nospammers_at_spambites.com)
Date: 03/04/04

Next message: Craig: "FTP"

Previous message: anonymous_at_discussions.microsoft.com: "search tool"
In reply to: Terry Prindle: "Re: Domain Administrators Account"
Next in thread: Scott Harding - MS MVP: "Re: Domain Administrators Account"
Reply: Scott Harding - MS MVP: "Re: Domain Administrators Account"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 4 Mar 2004 12:28:25 -0500

Let me take a shot at this. First of all, best practice is to rename the
local administrator account. In other words, it should not have the same
username as the domain admin account. So, that is the first step you should
take, and it might prevent a lot of confusion about with which account you
are logging in.

Another best practice is to not use "administrator" as your domain admin
account. It should also be renamed, and it should only be used sparingly.
I would not even use it to add machines to the domain. Best practice would
be to use an actual domain user account which is a member of the domain
administrator's group. Think of it this way, administrator accounts are
like gold and you should protect them as such, with strong passwords and
non-default usernames.

Now, when you say you are logging on as local administrator, how do know?
When you are at the login screen, is your domain name showing in the
dropdown field, or is it the computer name? If the domain name is showing,
then you are using a domain account, not a local account. You would need to
click on the dropdown and change it to the computer name to use a local
account.

Finally, the only way the domain account would lock is if you are denied
access (enter wrong password) three times. Therefore that account is
definitely being accessed, but maybe not intentionally. There is a
possibility that a service was installed that was enabled to use that domain
admin account - so you might want to check services on your servers to see
if any are using it. If so, your should rectify that practice also by using
maybe a dedicated service account which you can add to the domain admin
group. You can also audit logons by turning on security auditing on all
servers, it's off by default.

Hope this helps.

"Terry Prindle" <anonymous@discussions.microsoft.com> wrote in message
news:CA4E5E88-9C82-4C6E-ADAD-EFB3F4E944FD@microsoft.com...
> The server was just built and is on the domain. When we log in as the
local administrator to the member server it seems as if it is passing the
credentials to the DC (even though we are logging on locally to the member
server) of our domain because if we log in to the local member server more
than 2 times it locks the Domain Administrators account on the DC. I am
wondering why it is passing the credentials to the DC when we are logging on
locally to the member server?
>
> ----- Scott Harding - MS MVP wrote: -----
>
> I don't understand. So you haven't joined the domain yet? Well that
would be
> why the Domain Admins groups cannot login yet because the machine
hasn't
> joined the domain yet. The Domain Admins group gets added to the
local
> administrators group once you join the domain. Not sure if this
answers your
> question because I am not sure what your question is ;)
>
> --
> Scott Harding
> MCSE, MCSA, A+, Network+
> Microsoft MVP - Windows NT Server
>
> "Terry Prindle" <prindte@dwd.state.wi.us> wrote in message
> news:A9D884DD-17F6-4676-927A-311309B27C2B@microsoft.com...
> > When building new windows 2000 servers in our domain the first
couple of
> times we log into the machine we log in locally. By default we leave
the
> name of the account "Administrator". The problem is we are locking
out the
> the Domain Administrators account when doing this. We are indeed
logging in
> locally to a member server when this happens. Can anyone help?
>
>
>

Next message: Craig: "FTP"

Previous message: anonymous_at_discussions.microsoft.com: "search tool"
In reply to: Terry Prindle: "Re: Domain Administrators Account"
Next in thread: Scott Harding - MS MVP: "Re: Domain Administrators Account"
Reply: Scott Harding - MS MVP: "Re: Domain Administrators Account"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: NDR in SBS 2003
... administrators account to send email? ... Your message did not reach some or all of the intended recipients. ... Server Performance Report - SERVER ...
(microsoft.public.windows.server.sbs)
RE: SID
... An administrators account did exist on the ... So what I will need to do is check that the account still ... > the server up and connected the computers the users accounts were accepted ... There was nothing we could do but reinstall the software. ...
(microsoft.public.windows.server.sbs)
Re: User Accounts
... What you are telling me is, if I am using FAT32, there is no way, I can keep ... My folders and file private, even in administrators account, from other ...
(microsoft.public.windowsxp.newusers)
Re: Limited account has access to everything with FTP
... There is one folder to which has authorisation. ... I am logged on as administrator but accessing FTP with account name 'x'? ... >> I was accessing it using my administrators account and I noticed that I ...
(microsoft.public.inetserver.iis.ftp)
Re: Creating an Administrators account with the Old Admins Attribs.
... HOW TO: Create a Custom Default User Profile: ... > I installed WIN-XP and the very first time it came up there was the> Administrators account for the logon. ... I did a logon to work using this logon id, customizing> the screen and icons and the like. ... I added this new account and the original administrators account> disappeared with all the customization id did. ...
(microsoft.public.windowsxp.general)