Re: Local Admin Accounts

[Mark Monroe <markm196 () NETSCAPE NET>]

We do not disable the account, but we do randomize the local admin
password. After a system is imaged and done, a script runs that
randomizes the local admin password and no one knows it. (A domain admin
could always reset it if needed) . To do it after the fact you could use
this script...

http://gallery.technet.microsoft.com/ScriptCenter/en-us/5a8ebd4e-8184-4233-9ca1-430442a6eed3

And either securely store the passwords.txt file if you want to know
them, or securely delete it.

Mark Monroe
University of Missouri - St. Louis

King, Ronald A. wrote:
> I would like to inquire as to what other Universities are doing with
> regard to local admin accounts in Windows domain.  We are
> contemplating removing or disabling local administrator accounts
> across the board and use a Workstation Administrators group in Active
> Directory.
>
>
>
> 1.       Has anyone disabled the local Administrator account?
>
> 2.       How do you handle when a machine can no longer talk to the
> network or domain, whether a hardware failure or lost trust?
>
> 3.       If a machine loses its trust with the domain, what cause this?
>
> 4.       Is there a method of creating a unique password for each
> machine for the administrator account, or someway of not having to
> give out one password that gives someone access to anything and
> everything?
>
> 5.       Any other advice?
>
>
>
> /Ronald King/
>
> /Security Engineer/
>
> /Norfolk State University/
>
> /Marie V. McDemmond Center for Applied Research /
>
> /Suite 401 /
>
> /700 Park Ave./
>
> /Norfolk, Virginia  23504/
>
> /Phone:  757-823-3918/
>
> /Fax: 757-823-2128/
>
> /Email: raking () nsu edu <mailto:raking () nsu edu>/
>
> /http://security.nsu.edu/