local/domain user

[Guest]

- Are there any best practices as how to name the local account?
- When creating a local user I suppose its not the purpose to make this user a
member of the Administrators group?
- In a company I used to work for I saw they renamed the local
Administrator user into localadmin, is this also good practice? Or isn't it
necessary to rename the local Administrator user, of course when using strong
passwords?
- when creating a local user, should this user also have access to POP3 email
or exchange via Outlook, or should only the domain user have this email
access?

thanks

 

[Bruce Chambers]

- Are there any best practices as how to name the local account?

Actually, if the computer is part of a domain, you really don't want
any local accounts at all, beyond those built into the OS.

- When creating a local user I suppose its not the purpose to make this user a
member of the Administrators group?

Not unless you want massive security and other problems, no. In fact,
you don't want any local accounts , at all.

- In a company I used to work for I saw they renamed the local
Administrator user into localadmin, is this also good practice?

The standard security practice is to rename the account, set a strong
password on it, and use it only to create another account for regular
use, reserving the built-in Administrator account as a "back door" in
case something corrupts your regular account(s).

Or isn't it
necessary to rename the local Administrator user, of course when using strong
passwords?

Belts and suspenders.

- when creating a local user, should this user also have access to POP3 email
or exchange via Outlook, or should only the domain user have this email
access?

Again - and I cannot empasize this enough - if the computer is part of
a domain, there is no good reason to create any local accounts on it.



--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

 

[Guest]

thanks for the info.

what when there's no local account present (only domain accounts) and your
domain passxord expires when working offline when not connected?

Guy

 

[Bruce Chambers]

thanks for the info.

what when there's no local account present (only domain accounts) and your
domain passxord expires when working offline when not connected?

Unless you've set a local policy to arbitrarily expire passwords, that
shouldn't happen until the computer is reconnected to the domain.
Cached credentials are normally not refreshed until such a time.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

 

[Steven L Umbach]

In an Active Directory domain you want to mainly use domain users only. Keep
in mind that Group Policy user configuration settings do NOT apply to local
users. Renaming the administrator account is of limited value but it may be
a good idea to disable it and make sure it has a strong password. When the
local administrator account is disabled it still can be used in Safe Mode.
The risk with renaming the administrator account is that if you do not have
the same name for it on all computers it will make it difficult to do tasks
like changing the administrator password with scripts or batch files that
refer to it by name which should be done periodically. Also be sure not to
use the same administrator password on workstations and servers. It would be
best to have a unique administrator password on each server and any
sensitive workstations.

Steve