Domain Administrators Account

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

When building new windows 2000 servers in our domain the first couple of times we log into the machine we log in locally. By default we leave the name of the account "Administrator". The problem is we are locking out the the Domain Administrators account when doing this. We are indeed logging in locally to a member server when this happens. Can anyone help?
 
I don't understand. So you haven't joined the domain yet? Well that would be
why the Domain Admins groups cannot login yet because the machine hasn't
joined the domain yet. The Domain Admins group gets added to the local
administrators group once you join the domain. Not sure if this answers your
question because I am not sure what your question is ;)

--
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server

Terry Prindle said:
When building new windows 2000 servers in our domain the first couple of
Click to expand...
times we log into the machine we log in locally. By default we leave the
name of the account "Administrator". The problem is we are locking out the
the Domain Administrators account when doing this. We are indeed logging in
locally to a member server when this happens. Can anyone help?
 
The server was just built and is on the domain. When we log in as the local administrator to the member server it seems as if it is passing the credentials to the DC (even though we are logging on locally to the member server) of our domain because if we log in to the local member server more than 2 times it locks the Domain Administrators account on the DC. I am wondering why it is passing the credentials to the DC when we are logging on locally to the member server

----- Scott Harding - MS MVP wrote: ----

I don't understand. So you haven't joined the domain yet? Well that would b
why the Domain Admins groups cannot login yet because the machine hasn'
joined the domain yet. The Domain Admins group gets added to the loca
administrators group once you join the domain. Not sure if this answers you
question because I am not sure what your question is ;

--
Scott Hardin
MCSE, MCSA, A+, Network
Microsoft MVP - Windows NT Serve

Terry Prindle said:
When building new windows 2000 servers in our domain the first couple o
Click to expand...
times we log into the machine we log in locally. By default we leave th
name of the account "Administrator". The problem is we are locking out th
the Domain Administrators account when doing this. We are indeed logging i
locally to a member server when this happens. Can anyone help
 
Let me take a shot at this. First of all, best practice is to rename the
local administrator account. In other words, it should not have the same
username as the domain admin account. So, that is the first step you should
take, and it might prevent a lot of confusion about with which account you
are logging in.

Another best practice is to not use "administrator" as your domain admin
account. It should also be renamed, and it should only be used sparingly.
I would not even use it to add machines to the domain. Best practice would
be to use an actual domain user account which is a member of the domain
administrator's group. Think of it this way, administrator accounts are
like gold and you should protect them as such, with strong passwords and
non-default usernames.

Now, when you say you are logging on as local administrator, how do know?
When you are at the login screen, is your domain name showing in the
dropdown field, or is it the computer name? If the domain name is showing,
then you are using a domain account, not a local account. You would need to
click on the dropdown and change it to the computer name to use a local
account.

Finally, the only way the domain account would lock is if you are denied
access (enter wrong password) three times. Therefore that account is
definitely being accessed, but maybe not intentionally. There is a
possibility that a service was installed that was enabled to use that domain
admin account - so you might want to check services on your servers to see
if any are using it. If so, your should rectify that practice also by using
maybe a dedicated service account which you can add to the domain admin
group. You can also audit logons by turning on security auditing on all
servers, it's off by default.

Hope this helps.

Terry Prindle said:
The server was just built and is on the domain. When we log in as the
Click to expand...
local administrator to the member server it seems as if it is passing the
credentials to the DC (even though we are logging on locally to the member
server) of our domain because if we log in to the local member server more
than 2 times it locks the Domain Administrators account on the DC. I am
wondering why it is passing the credentials to the DC when we are logging on
locally to the member server?
 
Are you sure about that? An account lockout policy would not be very useful
if the admin account did not lock after a specified number of bad attempts.
What would prevent a brute force attack against that account?
Besides, it's easy to test this. Just login as another user with admin
rights, then use run as to try launching an app with the local administrator
account and intentionally type in the password wrong three times. Then
immediately go into users and groups and see if the account is locked. You
can do the same with a domain account, just be sure nobody else needs to use
it when you are testing ;-)
 
Back
Top