What does the Domain Adminstrator have that I don't?

[ChrisW]

Hello,

Silly question, I know. I understand you cannot delete the Domain
Administrator, and that it has a static SID. But, say I give myself all
the same rights as administrator. Is there any reason why I could not
disable the account and forget about it?

Thanks in advance,

ChrisW

 

[Steven L Umbach]

You can't disable the built in administrator account in Windows 2000 but you
can in XP Pro/Windows 2003 which will leave it available only for logon in
safe mode. What you could do is give it a very complex password that is
written down and stored in a couple of safe places like sealed in an
envelope in a safe and then use accounts added to the domain admins group
for your domain administrator needs. The other advantage of the built in
administrator account is that it can not be removed from the administrators
group for the domain while any other account or group can. Of course a
domain administrator can change the password on the built in administrator
account. If you are not sure that you can trust your domain administrators
that could be concern and enabling auditing of account management in Domain
Controller Security Policy would record an event when a password is changed
or reset on any user account. The command net user username will also show
the password last set date for any account which may also be helpful in
monitoring the administrator account. --- Steve

 

[Roger Abell [MVP]]

Chris,

Let's get clear on a couple of minor things, with big differences.
Domain Admins is a group. You are free to remove an account
from the group that you do not want to have those capabilities,
just as you can add another to it in order to give it those abilities.
This group is used in many, many places to grant the abilities,
so replicating that would be very difficult, and of course not
needed as you can alter the group's membership.