Domain Administrator or (s)? Best practices?

scottalanmiller

You should...

• Never have your normal account be an admin at all.
• Never share accounts

So for any admin, the would have their normal account and their own admin account.

scottalanmiller

@brianlittlejohn said:

Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.

No different than you should be doing for your laptop at home. Nothing special here.

LAH3385

Here's the changes:
Built-in Administrator : Change password.
I created a new account with @brianlittlejohn suggestion and made it domain admin.
Same with the new manager.

Thanks

Jason

I wouldn't include admin anywhere in account names makes it to obvious. After all anyone can do an LDAP lookup (and there for any software) even as standard user.

For example ours are first.last for normal and for admin we use (without the parenthesis) (firstinital)(last name) or (firstinital)(middle initial)(last name).

All built in admins on domain are renamed to random names. And the local administrator is deleted with a new one created with a random name (this is so the SID will not be the same)

LAH3385

@Jason said:

All built in admins on domain are renamed to random names. And the local administrator is deleted with a new one created with a random name (this is so the SID will not be the same)

Do you do this via GPO? If so any kb or technet link for this? I am sure I can find this within couple minutes of googling, but the more the better.

hobbit666

@brianlittlejohn said:

Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.

I really need to start doing this!!!

MattSpeller

@hobbit666 said:

@brianlittlejohn said:

Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.

I really need to start doing this!!!

It pissed me off for a while but once you start using it you realize (or at least I did) how many potentially sketchy as frig things you do on a computer every day

wrx7m

@LAH3385 I hope to add someone, more of a helpdesk, though and was wondering the same thing.

LAH3385

@wrx7m
I would not be the best person to answer the question.
But If I were adding a help desk to my team I would give him the same setup as what @brianlittlejohn mentioned previously, but limit access to server via remote desktop. Or Simply deny his account altogether. Other than that I think helpdesk needs admin rights and whatnot.

Jason

@LAH3385 said:

@wrx7m
I would not be the best person to answer the question.
But If I were adding a help desk to my team I would give him the same setup as what @brianlittlejohn mentioned previously, but limit access to server via remote desktop. Or Simply deny his account altogether. Other than that I think helpdesk needs admin rights and whatnot.

If he doesn't need domain admin rights you can just promote and account via a GPO as a local admin so he doesn't have unnecessary access.

wrx7m

@LAH3385 Yeah, I am going to allow them very limited access to the domain. Probably won't give domain admin. Just allow him local admin under a secondary account to desktops/laptops. I am also going to have to figure out access to AD for things like creating users and password resets etc.