Re: Local Admin Accounts

[Guy Pace <gpace () SBCTC EDU>]

Renaming the local administrator account is security by obscurity and doesn't accomplish anything. The account can 
still be access by the account's unique identifier (SID: S-1-5-######-500) in the OS and AD-and by live CDs used to 
reset or hack admin passwords. The account name is just a label, after all. It is best to set a strong, secure password 
on the account and strictly limit access to it. Audit for local admin login and know who is using that credential and 
why.

Disabling the local administrator account, and not having another account (domain or local) in the local admin group, 
can make management of the individual system(s) very difficult.

Also, adding a local account and putting it in the local administrator group does not make an account identical to the 
default local administrator account. The added account does not have the same unique identifier.

To address the trust issue: The domain administrator group must be (and this is set by default when a system is joined 
to the domain) included in all local administrator groups. Without this, systems will drop off the domain. In a past 
life (way back when AD was new), some users felt that the domain admin group should not be part of their local admin 
group (paranoid faculty and HR directors, mostly) on their workstations and would remove them (yeah, they had elevated 
privs). We dropped _all_ users to power users, removed access to local policy and made sure that domain admin group was 
part of the local admin group.

Some hard feelings abounded, but we stabilized the network and domain.
Guy L. Pace, CISSP
Security Administrator
Information Technology Division
WA State Board for Community and Technical Colleges (SBCTC)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724
gpace () sbctc edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand S 
Malwade
Sent: Wednesday, September 16, 2009 10:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Local Admin Accounts

For operational reasons it is not recommended to disable the administrator account. The best practice is to rename it 
to some other value.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, 
Ronald A.
Sent: Wednesday, September 16, 2009 1:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Local Admin Accounts

I would like to inquire as to what other Universities are doing with regard to local admin accounts in Windows domain.  
We are contemplating removing or disabling local administrator accounts across the board and use a Workstation 
Administrators group in Active Directory.


1.       Has anyone disabled the local Administrator account?

2.       How do you handle when a machine can no longer talk to the network or domain, whether a hardware failure or 
lost trust?

3.       If a machine loses its trust with the domain, what cause this?

4.       Is there a method of creating a unique password for each machine for the administrator account, or someway of 
not having to give out one password that gives someone access to anything and everything?

5.       Any other advice?

Ronald King
Security Engineer
Norfolk State University
Marie V. McDemmond Center for Applied Research
Suite 401
700 Park Ave.
Norfolk, Virginia  23504
Phone:  757-823-3918
Fax: 757-823-2128
Email: raking () nsu edu<mailto:raking () nsu edu>
http://security.nsu.edu