Creating a new Domain level Admin Account

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We want to change out domain administrator account to give it a new name and
better password. The problem is that over the years, I know that the
administrator account is the logon account for some services and also is used
for authentication for our tape backup jobs...I'm also pretty sure that it is
used elsewhere, but would have to research that.

My thought was to create a new domain administrator account with a
non-obvious name and highly-complex password and to go through each server
examing the services and jobs that use the default administrator account and
change it to the new one. Then, when I'm pretty sure that I've found
everything, I'd change the name of the default administrator account and give
it a highly-complex password. We would continue to use this newly name
default administrator account for logging in for domain things, and the new
administrator account that I create for things like applications and services
that need that level of access.

I have two questions. First, does this seem like a reasonable solution?
Second, how is this best done so that the new administrator has all the
rights and premissions that the default one has?

Thanx...Jon
 
Jon Yiesla said:
We want to change out domain administrator account to give it a new name
and
better password. The problem is that over the years, I know that the
administrator account is the logon account for some services and also is
used
for authentication for our tape backup jobs...I'm also pretty sure that it
is
used elsewhere, but would have to research that.
Click to expand...

There is no true extra security unless you fix that password
too.

Bite the bullet, change the password, find the misconfigured
services and give them their own accounts with randomized
20-character, complex passwords.
My thought was to create a new domain administrator account with a
non-obvious name and highly-complex password and to go through each server
examing the services and jobs that use the default administrator account
and
change it to the new one.
Click to expand...

Most/many services should actually have their OWN SPECIFIC
accounts. Then when you need to change one of them you don't
have to change them all.
Then, when I'm pretty sure that I've found
everything, I'd change the name of the default administrator account and
give
it a highly-complex password.
Click to expand...

20-characters too.

Changing the Admin account name is of only limited actual
security value since the SID is well known.
We would continue to use this newly name
default administrator account for logging in for domain things,
Click to expand...

"We" -- EACH Admin should also have their own Admin account
(as well as a "regular account" for normal work.) Admin
accounts should generally NOT be shared.
and the new
administrator account that I create for things like applications and
services
that need that level of access.
Click to expand...

And each of these should have their own too.
I have two questions. First, does this seem like a reasonable solution?
Click to expand...

Not quite complete but on the right path.
Second, how is this best done so that the new administrator has all the
rights and premissions that the default one has?
Click to expand...

COPY the old admin account. Do not try to create it fresh.

Not all services even NEED an admin account either. Some
do, some don't.
 
Back
Top