Re: W2k3 - Recover from lost Domain Admin passwords
From: Ulf B. Simon-Weidner (nospam2-ulf_at_usw-consulting.com)
Date: 01/25/04
- Next message: Antonio Lam: "Re: Account Lockout Policy"
- Previous message: Roger Abell [MVP]: "Re: Creating Private Folders in 2003 Server - I'm messing up the security settings"
- In reply to: Robert Strom: "W2k3 - Recover from lost Domain Admin passwords"
- Next in thread: Laura A. Robinson [MVP]: "Re: W2k3 - Recover from lost Domain Admin passwords"
- Reply: Laura A. Robinson [MVP]: "Re: W2k3 - Recover from lost Domain Admin passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 25 Jan 2004 00:33:43 +0100
Robert Strom says...
[he wants to reset the domain-admin pwd without knowing it]
> The "LOCAL SERVICE" account doesn't have the necessary permissions to use
> the described techniques to change the Domain Admins password (I used the
> default Administrator account in my testing).
>
> I'm all for security, but this seems like a potential nightmare. Physical
> security is really the issue at hand here. All Unix system can be broken
> into with a bootable system CD-ROM. I personally see a need for having the
> ability to recover from a situation where all passwords are compromised
> without having to resort to restoring the entire AD from backup.
>
Hello Robert,
your passwords are more easily compromised if you leave this whole open.
If you are all for security, then I'd create a domain admin password which is
totally random, and something like 30-50 letters. Print it out, and put it into
a safe. Don't use the domain admin account, but create admin accounts which are
individual per user. Give them just the rights they need. Educate them not to
log on with their adminaccount, but their useraccount and use RunAs for
administrative Tasks. Change the domain admin account quite frequently - like
once a month (every other month should be OK as well, if you use about 50
letters). Treat the service accounts like your domain admin account.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
- Next message: Antonio Lam: "Re: Account Lockout Policy"
- Previous message: Roger Abell [MVP]: "Re: Creating Private Folders in 2003 Server - I'm messing up the security settings"
- In reply to: Robert Strom: "W2k3 - Recover from lost Domain Admin passwords"
- Next in thread: Laura A. Robinson [MVP]: "Re: W2k3 - Recover from lost Domain Admin passwords"
- Reply: Laura A. Robinson [MVP]: "Re: W2k3 - Recover from lost Domain Admin passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
