Educause Security Discussion mailing list archives
Re: Local Admin Accounts
From: Guy Pace <gpace () SBCTC EDU>
Date: Wed, 16 Sep 2009 13:22:28 -0700
OK, again, I have to use the disclaimer that my description was from the early dark ages of Win2k/AD. What was described in the Win2K Resource Kit and other Win2k documentation available at the time and what we experienced in our early implementation of a Windows AD network was often very different—if not a complete surprise. Your tools and capabilities now are much more mature and robust. Guy L. Pace, CISSP Security Administrator Information Technology Division WA State Board for Community and Technical Colleges (SBCTC) 3101 Northup Way, Suite 100 Bellevue, WA 98004 425-803-9724 gpace () sbctc edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sweeny, Jonny Sent: Wednesday, September 16, 2009 1:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Local Admin Accounts -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The domain administrator group must be (and this is set by default when a system is joined to the domain) included in all local administrator groups. Without this, systems will drop off the domain.
Pardon me but I must correct you: While it is true that the Domain Admins group is added to the Administrators group when the machine joins the domain, it is *not* true that the machine is removed from the domain when the Domain Admins are removed from this group. We frequently remove the Domain Admins from our Admin groups and participate actively in domain membership. - -- ~Jonny Sweeny, GSEC, GCWN, GCIH, GWAS Incident Response Manager, Lead Security Analyst Office of the VP for Information Technology, Indiana University PGP & S/MIME: http://informationsecurity.iu.edu/Jonny_Sweeny jsweeny () iu edu -- phone: (812) 855-4194 -- fax: (812) 856-1011 -----BEGIN PGP SIGNATURE----- Version: 9.10.0 (Build 500) Charset: utf-8 wj8DBQFKsUPzkncdNJm5aegRAhgNAJsG4Quvi2dc4QPw6oMGV+LlnSwUEACfY8Vo Lmpxyj7jEuMdYXwdpu93uqc= =YY/G -----END PGP SIGNATURE-----
Current thread:
- Re: Local Admin Accounts, (continued)
- Re: Local Admin Accounts Mark Monroe (Sep 16)
- Re: Local Admin Accounts Strzelec, Wally (Sep 16)
- Re: Local Admin Accounts Steven Alexander (Sep 16)
- Re: Local Admin Accounts Smith, Bob (Sep 16)
- Re: Local Admin Accounts Gary Flynn (Sep 16)
- Re: Local Admin Accounts Manuel Amaral (Sep 16)
- Re: Local Admin Accounts Stanclift, Michael (Sep 16)
- Re: Local Admin Accounts Sweeny, Jonny (Sep 16)
- Re: Local Admin Accounts Guy Pace (Sep 16)
- Re: Local Admin Accounts David Gillett (Sep 16)
- Re: Local Admin Accounts Guy Pace (Sep 16)
- Re: Local Admin Accounts Gary Flynn (Sep 16)
- Re: Local Admin Accounts King, Ronald A. (Sep 16)
- Re: Local Admin Accounts John Hoffoss (Sep 16)
- Re: Local Admin Accounts Strzelec, Wally (Sep 16)
- Re: Local Admin Accounts Stanclift, Michael (Sep 16)
- Re: Local Admin Accounts Eric Case (Sep 17)