none
disable local admin account

    Question

    1. Windows Server 2008 R2 sp1

    I've been meaning to change the local admin passwords for all our domain computers but due to an update, is no longer available via the GPO.

    now this link http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx suggests a way but for an environment where I can't have a lab, I can't do as suggested by the article due to schema changes it will do.

    my thinking now is, since the issue here is the local admin password, I thought i'll do the following instead:

    1. disable the local admin account across the domain; anyway domain admins already are members of local admin group
    2. create a restricted group that are also members of local admin group

    my reasoning for the first one is, the local admin account is seldom used, if ever, plus from a security point of view, disabling a known admin account is a plus.

    the restricted group members are controlled by me and there are only a few people in there. this group is required for doing admin stuffs like installing/removing applications. printers are already managed by GPO.

    i'm just bouncing around my idea as I've mentioned, since the removal from GPO to change local admin password, I've come to see that the local admin is no longer required.

    my only reservation is, what if the computer was disconnected from the domain? will the domain accounts like "domain admins" and "restricted groups" still be able to do admin work?

    Thursday, January 14, 2016 8:42 AM

All replies

  • Hi,
     
    Am 14.01.2016 um 09:42 schrieb Reno Mardo:
    > I can't do as suggested by the article due to schema changes it will
    > do.
     
    Why? Why are all afraid of adding 2 simple attributes, that will not
    interfere with anything else in the world?
    Why do you think, their name is some kind of strange "ms-mcs-admipwd"
    and "ms-mcs-admpwdexpires" and not "password" and "expires"?
    Just because to avoid use by another application.
     
    Not having an TestLab is no excuse:
    Any Workstation Windows 8 and up can run Hyper-V, VMWare (player or
    Virtual Box do run on 7 aswell.
    Installing a TestDC with a Test Client for this scenario will only take
    2 hours, even faster when using a backup of your DC ...
     
    > 1. disable the local admin account across the domain; anyway domain
    > admins already are members of local admin group 2. create a
    > restricted group that are also members of local admin group
     
    3. Remove Domain Admins from any clients Admin group
    4. create an own "this-department-client-admin-group" or
    "client-admingroup" and add this.
    Probably some of your domain admins to client tasks, but if it´s not all
    of them it´s better to seperate them by thier jobs they do.
    5. Probably the Admin account is activated, due to a problem in GP
    Process, or you need an exception: Add "Deny Access from Network"
    (LocalSecurity\SecurityOptions) = Adminitrator
    No, you can not connect to a system via RPC with this account, even if
    you know the password and the account is active.
    6. Add LAPS anyway, because is the easiest way to generate individual
    passwords. If 1.) and 5.) do fail and the password is identical on every
    client you can access all systems whre admin is active and the HASH is
    the same.
     
    Your Defenceline is like:
    1. Account is disabled: Very save, best way, but not 100% possible
    (RoadWarriors, Notebooks without permanent contact ...)
    2. Individual passwords, so know one can break "all" by knowing one.
    3. Deny Access from network.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Thursday, January 14, 2016 10:23 AM
  • Hi,
     
    How is it going? Just checking in to see if above information was helpful. Please let us know if you would like further assistance.
     
    Thanks,
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, January 18, 2016 4:49 AM
    Moderator
  • hi, am still waiting for other view points. i don't see a problem with my plans, so far.
    Monday, January 18, 2016 5:49 AM
  • hi,

    while i fully agree with you that having no test environment is a "sin", this is what i have and must work with. no test environment.

    road warriors are not an issue in itself as per our experience they must have local admin privileges.

    i do not quite understand the fifth line:

    5. Probably the Admin account is activated, due to a problem in GP
    Process, or you need an exception: Add "Deny Access from Network"
    (LocalSecurity\SecurityOptions) = Adminitrator
    No, you can not connect to a system via RPC with this account, even if
    you know the password and the account is active.

    can you please explain or elaborate further.

    regards,

    Reno

    Monday, January 18, 2016 8:03 AM
  • Hi,
     
    Am 18.01.2016 um 09:03 schrieb Reno Mardo:
    > i do not quite understand the fifth line:
    > [...] can you please explain or elaborate further.
     
    The desired state is: Disabled Adminaccount.
    If Adminaccount is disabled, there is no need to worry about the
    password, because you can never connect with RPC to a remote system
    using this account or logon locally.
     
    What will happen if:
    - The account is active, for whatever reasons?
      -> you need a password
     
    What if:
    - The password is everywhere the same and there are more systems having
    the adminaccount enabled?
      -> you need individual passowrds,  so no one can use the HASH to
    connect via RPC
      -> or set "Deny Access from Network". Even if I know the password in
    PLAINTEXT, I can not connect.
     
    Combining all is the "highest" Level:
    - disable Adminaccount, nothing can happen
    - using individual passwords, makes PtH Attacks more difficult
    - deny access from network, "knowledge" (knowing of passwords) is no
    longer a security issue.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Monday, January 18, 2016 9:45 AM
  • Am 18.01.2016 um 10:45 schrieb Mark Heitbrink [MVP]:
    > - disable Adminaccount, nothing can happen
      ... with this account :-)
     
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Monday, January 18, 2016 10:34 AM