Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Local Admin Accounts

From: David Gillett <gillettdavid () FHDA EDU>
Date: Wed, 16 Sep 2009 13:19:22 -0700
  At a previous employer, we wound up deploying a domain logon script for
everyone that would re-add Domain Administrators to their Local
Administrators group.

David Gillett



  _____

From: Sweeny, Jonny [mailto:jsweeny () IU EDU]
Sent: Wednesday, September 16, 2009 1:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Local Admin Accounts



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The domain administrator group must be (and this is set by
default when a system is joined to the domain) included in
all local administrator groups. Without this, systems will
drop off the domain.


Pardon me but I must correct you:

While it is true that the Domain Admins group is added to the Administrators
group when the machine joins the domain, it is *not* true that the machine
is removed from the domain when the Domain Admins are removed from this
group.  We frequently remove the Domain Admins from our Admin groups and
participate actively in domain membership.

- --
~Jonny Sweeny, GSEC, GCWN, GCIH, GWAS
Incident Response Manager, Lead Security Analyst
Office of the VP for Information Technology, Indiana University
PGP & S/MIME: http://informationsecurity.iu.edu/Jonny_Sweeny
jsweeny () iu edu -- phone: (812) 855-4194 -- fax: (812) 856-1011

-----BEGIN PGP SIGNATURE-----
Version: 9.10.0 (Build 500)
Charset: utf-8

wj8DBQFKsUPzkncdNJm5aegRAhgNAJsG4Quvi2dc4QPw6oMGV+LlnSwUEACfY8Vo
Lmpxyj7jEuMdYXwdpu93uqc=
=YY/G
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: