locked
Administrator Account Recommendations RRS feed

  • Question

  • What are the latest security recommendations for the built-in Administrator account for the domain? Should we setup another (or several) accounts and give them the appropriate permissions, like Enterprise admin, Schema admin, etc. and then disable the Administrator account? Or just rename it?

    Thanks,

    Friday, April 23, 2010 12:10 PM

Answers

  • Hi,

     

    I suggest that you rename the built-in Administrator account. It is not necessary to create a new account and disable the built-in Administrator. In addition, please remember to enable the Password must meet complexity requirements policy.

     

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Joson Zhou Tuesday, May 4, 2010 1:18 AM
    Monday, April 26, 2010 2:07 AM
  • Hello,

    Is the built-in administrator account for the domain "The local administrator account on the server that was used to create the first domain controller"? If so, that account is critical and should not be disabled as mentioned by Joson Zhou.

    It is recommended you use "other" accounts for your daily administrative duties such as Enterprise Administrators, Domain Administrators, etc...

    Best practice would be to only use accounts with elevated privileges when necessary. In the enterprise I am a part of, the Enterprise Administrators logon with a "User" account and use "RunAs" to perform duties with elevated privileges. Obviously there will be times when that cannot be done and you have to logon with the EA account, but not on a regular basis.

    Hope that helps.

    • Proposed as answer by MagikD Monday, May 3, 2010 12:04 PM
    • Marked as answer by Joson Zhou Tuesday, May 4, 2010 1:18 AM
    Friday, April 30, 2010 11:20 AM

All replies

  • Hi,

     

    I suggest that you rename the built-in Administrator account. It is not necessary to create a new account and disable the built-in Administrator. In addition, please remember to enable the Password must meet complexity requirements policy.

     

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Joson Zhou Tuesday, May 4, 2010 1:18 AM
    Monday, April 26, 2010 2:07 AM
  • Hi,

    How are you? I want to check if you have any further questions or concerns. If there is anything further I can be of assistance, please do not hesitate to respond back.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, April 30, 2010 9:31 AM
  • Hello,

    Is the built-in administrator account for the domain "The local administrator account on the server that was used to create the first domain controller"? If so, that account is critical and should not be disabled as mentioned by Joson Zhou.

    It is recommended you use "other" accounts for your daily administrative duties such as Enterprise Administrators, Domain Administrators, etc...

    Best practice would be to only use accounts with elevated privileges when necessary. In the enterprise I am a part of, the Enterprise Administrators logon with a "User" account and use "RunAs" to perform duties with elevated privileges. Obviously there will be times when that cannot be done and you have to logon with the EA account, but not on a regular basis.

    Hope that helps.

    • Proposed as answer by MagikD Monday, May 3, 2010 12:04 PM
    • Marked as answer by Joson Zhou Tuesday, May 4, 2010 1:18 AM
    Friday, April 30, 2010 11:20 AM
  • Thanks for the info. indeed the local admin was used to create the first domain controller, so I guess I will just rename it.
    Friday, April 30, 2010 6:11 PM