ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Domain Administrator or (s)? Best practices?

    IT Discussion
    9
    17
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LAH3385
      last edited by

      As a sole admin, I have no problem using built-in administrator to remote into each server. Next month I will have one more administrator joining. However, his role will be IT Manager, oversee me and web/app designer.
      With that said... what is a recommended best practices when there are multiple administrator? Do I add him into Administrators group and be done with it?

      W 1 Reply Last reply Reply Quote 3
      • B
        brianlittlejohn
        last edited by

        Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.

        M S H 3 Replies Last reply Reply Quote 8
        • M
          MattSpeller @brianlittlejohn
          last edited by

          @brianlittlejohn said:

          Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.

          Yup exactly what we do here (3 domain admins) - works a treat. Then if you mess up you can use the DA account to fix yours instead of being royally screwed.

          1 Reply Last reply Reply Quote 3
          • A
            Alex Sage
            last edited by

            What usernames do you use?

            1 Reply Last reply Reply Quote 0
            • B
              brianlittlejohn
              last edited by

              For windows I <username>.admin for the privileged account.

              1 Reply Last reply Reply Quote 0
              • C
                Carnival Boy
                last edited by

                Should you have 3 accounts - a non-admin one, a Domain Admin one, AND a local admin one? I've never been sure about logging on to PCs with a domain admin account. I figured you should reserve domain admin accounts for purely, you know, domain admin (ie only use the domain admin account to log onto servers)

                I know no-one does this, but I'm not sure if you should.

                1 Reply Last reply Reply Quote 2
                • S
                  scottalanmiller
                  last edited by

                  You should...

                  • Never have your normal account be an admin at all.
                  • Never share accounts

                  So for any admin, the would have their normal account and their own admin account.

                  1 Reply Last reply Reply Quote 0
                  • S
                    scottalanmiller @brianlittlejohn
                    last edited by

                    @brianlittlejohn said:

                    Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.

                    No different than you should be doing for your laptop at home. Nothing special here.

                    1 Reply Last reply Reply Quote 0
                    • L
                      LAH3385
                      last edited by

                      Here's the changes:
                      Built-in Administrator : Change password.
                      I created a new account with @brianlittlejohn suggestion and made it domain admin.
                      Same with the new manager.

                      Thanks

                      1 Reply Last reply Reply Quote 3
                      • J
                        Jason Banned
                        last edited by

                        I wouldn't include admin anywhere in account names makes it to obvious. After all anyone can do an LDAP lookup (and there for any software) even as standard user.

                        For example ours are first.last for normal and for admin we use (without the parenthesis) (firstinital)(last name) or (firstinital)(middle initial)(last name).

                        All built in admins on domain are renamed to random names. And the local administrator is deleted with a new one created with a random name (this is so the SID will not be the same)

                        L 1 Reply Last reply Reply Quote 1
                        • L
                          LAH3385 @Jason
                          last edited by

                          @Jason said:

                          All built in admins on domain are renamed to random names. And the local administrator is deleted with a new one created with a random name (this is so the SID will not be the same)

                          Do you do this via GPO? If so any kb or technet link for this? I am sure I can find this within couple minutes of googling, but the more the better. 🙂

                          1 Reply Last reply Reply Quote 0
                          • H
                            hobbit666 @brianlittlejohn
                            last edited by

                            @brianlittlejohn said:

                            Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.

                            I really need to start doing this!!!

                            M 1 Reply Last reply Reply Quote 2
                            • M
                              MattSpeller @hobbit666
                              last edited by

                              @hobbit666 said:

                              @brianlittlejohn said:

                              Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.

                              I really need to start doing this!!!

                              It pissed me off for a while but once you start using it you realize (or at least I did) how many potentially sketchy as frig things you do on a computer every day

                              1 Reply Last reply Reply Quote 4
                              • W
                                wrx7m @LAH3385
                                last edited by

                                @LAH3385 I hope to add someone, more of a helpdesk, though and was wondering the same thing.

                                L 1 Reply Last reply Reply Quote 0
                                • L
                                  LAH3385 @wrx7m
                                  last edited by

                                  @wrx7m
                                  I would not be the best person to answer the question. 😛
                                  But If I were adding a help desk to my team I would give him the same setup as what @brianlittlejohn mentioned previously, but limit access to server via remote desktop. Or Simply deny his account altogether. Other than that I think helpdesk needs admin rights and whatnot.

                                  J W 2 Replies Last reply Reply Quote 0
                                  • J
                                    Jason Banned @LAH3385
                                    last edited by

                                    @LAH3385 said:

                                    @wrx7m
                                    I would not be the best person to answer the question. 😛
                                    But If I were adding a help desk to my team I would give him the same setup as what @brianlittlejohn mentioned previously, but limit access to server via remote desktop. Or Simply deny his account altogether. Other than that I think helpdesk needs admin rights and whatnot.

                                    If he doesn't need domain admin rights you can just promote and account via a GPO as a local admin so he doesn't have unnecessary access.

                                    1 Reply Last reply Reply Quote 0
                                    • W
                                      wrx7m @LAH3385
                                      last edited by

                                      @LAH3385 Yeah, I am going to allow them very limited access to the domain. Probably won't give domain admin. Just allow him local admin under a secondary account to desktops/laptops. I am also going to have to figure out access to AD for things like creating users and password resets etc.

                                      1 Reply Last reply Reply Quote 0
                                      • 1 / 1
                                      • First post
                                        Last post