Re: Local Admin Accounts

[Guy Pace <gpace () SBCTC EDU>]

OK, again, I have to use the disclaimer that my description was from the early dark ages of Win2k/AD. What was 
described in the Win2K Resource Kit and other Win2k documentation available at the time and what we experienced in our 
early implementation of a Windows AD network was often very different—if not a complete surprise. Your tools and 
capabilities now are much more mature and robust.

Guy L. Pace, CISSP
Security Administrator
Information Technology Division
WA State Board for Community and Technical Colleges (SBCTC)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724
gpace () sbctc edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sweeny, 
Jonny
Sent: Wednesday, September 16, 2009 1:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Local Admin Accounts

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> The domain administrator group must be (and this is set by
> default when a system is joined to the domain) included in
> all local administrator groups. Without this, systems will
> drop off the domain.

Pardon me but I must correct you:

While it is true that the Domain Admins group is added to the Administrators group when the machine joins the domain, 
it is *not* true that the machine is removed from the domain when the Domain Admins are removed from this group.  We 
frequently remove the Domain Admins from our Admin groups and participate actively in domain membership.

- --
~Jonny Sweeny, GSEC, GCWN, GCIH, GWAS
Incident Response Manager, Lead Security Analyst
Office of the VP for Information Technology, Indiana University
PGP & S/MIME: http://informationsecurity.iu.edu/Jonny_Sweeny
jsweeny () iu edu -- phone: (812) 855-4194 -- fax: (812) 856-1011

-----BEGIN PGP SIGNATURE-----
Version: 9.10.0 (Build 500)
Charset: utf-8

wj8DBQFKsUPzkncdNJm5aegRAhgNAJsG4Quvi2dc4QPw6oMGV+LlnSwUEACfY8Vo
Lmpxyj7jEuMdYXwdpu93uqc=
=YY/G
-----END PGP SIGNATURE-----