Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Local Admin Accounts

From: Anand S Malwade <Anand.Malwade () SHU EDU>
Date: Wed, 16 Sep 2009 13:24:38 -0400
For operational reasons it is not recommended to disable the administrator account. The best practice is to rename it 
to some other value.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, 
Ronald A.
Sent: Wednesday, September 16, 2009 1:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Local Admin Accounts

I would like to inquire as to what other Universities are doing with regard to local admin accounts in Windows domain.  
We are contemplating removing or disabling local administrator accounts across the board and use a Workstation 
Administrators group in Active Directory.


1.       Has anyone disabled the local Administrator account?

2.       How do you handle when a machine can no longer talk to the network or domain, whether a hardware failure or 
lost trust?

3.       If a machine loses its trust with the domain, what cause this?

4.       Is there a method of creating a unique password for each machine for the administrator account, or someway of 
not having to give out one password that gives someone access to anything and everything?

5.       Any other advice?

Ronald King
Security Engineer
Norfolk State University
Marie V. McDemmond Center for Applied Research
Suite 401
700 Park Ave.
Norfolk, Virginia  23504
Phone:  757-823-3918
Fax: 757-823-2128
Email: raking () nsu edu<mailto:raking () nsu edu>
http://security.nsu.edu
Previous By Date Next
Previous By Thread Next

Current thread: