Re: Local Admin Accounts

["Smith, Bob" <smithrj () LONGWOOD EDU>]

Everyone is posting some great ideas for handling computers on the domain, but how are you dealing with computers 
(laptops) that might not be on the domain?  Are you simply giving them an elevated local account, using 2 local 
accounts (one non-admin and one admin) or something else?

Bob Smith
Information Security Officer
Longwood University

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Strzelec, Wally
Sent: Wednesday, September 16, 2009 2:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Local Admin Accounts


1.       We are using Vista in our labs and disable the local Administrator account.


2.         See #4.


3.       We have never had any issues with machines dropping out of the domain.  (2500 machines)



4.       We do not allow anonymous account access, everyone uses their domain account for what they need.  For 
administrative access we use group policy.  We created an OU that contains groups with the same name as the computer.  
A group policy will then add the group %COMPUTERNAM% to the local administrators group.  We simply add the user to the 
appropriate %COMPUTERNAM% group and they are an Administrator of that and only that machine.  We use the same GPO to 
remove everyone with the exception of the folks we specify, from all of the groups just in case one of our 
%COMPUTERNAM% group Administrators decide to add themselves or someone else to something that they should not.



5.       Use the Active Directory and Group Policies.

-Wally Strzelec
 Computing and information Services
 Texas A&M University

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, 
Ronald A.
Sent: Wednesday, September 16, 2009 1:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Local Admin Accounts

I would like to inquire as to what other Universities are doing with regard to local admin accounts in Windows domain.  
We are contemplating removing or disabling local administrator accounts across the board and use a Workstation 
Administrators group in Active Directory.


1.       Has anyone disabled the local Administrator account?

2.       How do you handle when a machine can no longer talk to the network or domain, whether a hardware failure or 
lost trust?

3.       If a machine loses its trust with the domain, what cause this?

4.       Is there a method of creating a unique password for each machine for the administrator account, or someway of 
not having to give out one password that gives someone access to anything and everything?

5.       Any other advice?

Ronald King
Security Engineer
Norfolk State University
Marie V. McDemmond Center for Applied Research
Suite 401
700 Park Ave.
Norfolk, Virginia  23504
Phone:  757-823-3918
Fax: 757-823-2128
Email: raking () nsu edu<mailto:raking () nsu edu>
http://security.nsu.edu