Re: Disable or rename administrator account

OK Glad you got the supporting documentation and thanks for posting it.

Steve


"UBEST" <ubest@xxxxxxxxx> wrote in message
news:9llpf2ddpftpeej4lmo5pc2u826n6kd5ee@xxxxxxxxxx
Steve,

You are right. I got the answer from Microsoft too:

http://i.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch05n.mspx

Thanks again.

On Sun, 3 Sep 2006 22:06:05 -0500, "Steven L Umbach"
<n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

As long as the real account name is known there will not be any problem.
However as time goes it is surprising how such things can be forgotten or
hard to find. Again for AD Restore an Recovery Console on a domain
controller the built in administrator account for the domain is not used
but
the built in administrator account for the domain controller that was
configured during dcpromo is used. I can't see it being a problem on other
servers as long as the built in administrator account name and password is
known. As always if you are unsure it is best to test what happens in a
non
destructive way for the domain.

Steve

http://support.microsoft.com/kb/322672/ -- Directory Services Restore
Mode
Administrator Account


"UBEST" <ubest@xxxxxxxxx> wrote in message
news:eb3nf2pgtmea0c2c0hbs65v57flg5f12d3@xxxxxxxxxx
Hi Steve,

Thanks you for your input. Auditor suggested we should rename built-in
domain and local member server administrator account. Microsoft Best
Practice Guide mentioned, renaming built-in administrator account is
not secure enough since hacker has tools to identify easily built-in
admin account (SID ending with 500). However, Microsoft doesn't
mention any reference about how this change affect disaster recovery
procedure for AD or member servers or standalone server.

On Fri, 1 Sep 2006 14:55:48 -0500, "Steven L Umbach"
<n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Disabling an administrator account disables it for network or normal
interactive logon. You still can logon in Safe Mode. AD Recovery is a
type
of Safe Mode and does not use the administrator account for the domain
anyhow as it uses the built in administrator account for that domain
controller which is what you are prompted for in AD recovery. I believe
it
should also work in Recovery Console and that would be easy enough to
test.
In my opinion as long as other security best practices are followed
renaming
the built in administrator account, particularly if it is disabled, is
of
little value and can pose a problem if it is forgot. The free password
reset
disk at the link below can also enable disable accounts and identify the
administrator account. You also want to make sure that you are not using
the
same password on the general population domain computer for the built in
administrators account as you do on servers and sensitive workstations.

Steve

http://home.eunet.no/~pnordahl/ntpasswd/


"UBEST" <ubest@xxxxxxxxx> wrote in message
news:dd2hf2hovhsnkpa4r4kkc1vm9si7heuv34@xxxxxxxxxx
For security reason, we have to disable or rename Domain administrator
account and domain member server's local administrator account.
We have some concerns about tha changes:

Can anyone please answer the following concerns?

If we rename or disable administrator account for AD or Windows 2003
local administrator account, what are impacts on disaster recovery of
AD and standalone Windows 2003 servers, member servers.

For a standalone or member server, if we disable or rename local
administrator account, when disaster happens, when we have to run
disaster recovery, for example, recovery console mode, system will
prompt you with administratror password, if we disable or rename
bulit-in administrator account, can we still be able to get in
recovery console mode? and How?

If we do system repair partion of Windows 2003 setup, if we are
prompted with Administrator password, how can we get along this this
step.

For reanme or disabling AD administrator account, if disaster happens
to AD, how will it affect disaster recovery procedure?

Thanks




.

Relevant Pages

  • Re: Disable or rename administrator account
    ... renaming built-in administrator account is ... mention any reference about how this change affect disaster recovery ... If we rename or disable administrator account for AD or Windows 2003 ... For a standalone or member server, if we disable or rename local ...
    (microsoft.public.windows.server.security)
  • Re: Disable or rename administrator account
    ... Again for AD Restore an Recovery Console on a domain ... the built in administrator account for the domain controller that was ... For a standalone or member server, if we disable or rename local ... For reanme or disabling AD administrator account, ...
    (microsoft.public.windows.server.security)
  • Re: Disabled Administrative Account
    ... > the Administrator account which of course is the only ... > I've tried using a win2000 CD and going to the recovery ... > file system but I'm not sure what to do from there. ... > and .ini hoping that I could then log into the new acct ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Disable or rename administrator account
    ... Disabling an administrator account disables it for network or normal ... You still can logon in Safe Mode. ... controller which is what you are prompted for in AD recovery. ... For reanme or disabling AD administrator account, ...
    (microsoft.public.windows.server.security)
  • Re: Recover Encrypted Files
    ... on the first DC in the domain is the DRA. ... > file system recovery" when adding to buildin administrator account? ...
    (microsoft.public.win2000.security)