Domain Administrator or (s)? Best practices?
-
As a sole admin, I have no problem using built-in administrator to remote into each server. Next month I will have one more administrator joining. However, his role will be IT Manager, oversee me and web/app designer.
With that said... what is a recommended best practices when there are multiple administrator? Do I add him into Administrators group and be done with it? -
Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.
-
@brianlittlejohn said:
Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.
Yup exactly what we do here (3 domain admins) - works a treat. Then if you mess up you can use the DA account to fix yours instead of being royally screwed.
-
What usernames do you use?
-
For windows I <username>.admin for the privileged account.
-
Should you have 3 accounts - a non-admin one, a Domain Admin one, AND a local admin one? I've never been sure about logging on to PCs with a domain admin account. I figured you should reserve domain admin accounts for purely, you know, domain admin (ie only use the domain admin account to log onto servers)
I know no-one does this, but I'm not sure if you should.
-
You should...
- Never have your normal account be an admin at all.
- Never share accounts
So for any admin, the would have their normal account and their own admin account.
-
@brianlittlejohn said:
Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.
No different than you should be doing for your laptop at home. Nothing special here.
-
Here's the changes:
Built-in Administrator : Change password.
I created a new account with @brianlittlejohn suggestion and made it domain admin.
Same with the new manager.Thanks
-
I wouldn't include admin anywhere in account names makes it to obvious. After all anyone can do an LDAP lookup (and there for any software) even as standard user.
For example ours are first.last for normal and for admin we use (without the parenthesis) (firstinital)(last name) or (firstinital)(middle initial)(last name).
All built in admins on domain are renamed to random names. And the local administrator is deleted with a new one created with a random name (this is so the SID will not be the same)
-
@Jason said:
All built in admins on domain are renamed to random names. And the local administrator is deleted with a new one created with a random name (this is so the SID will not be the same)
Do you do this via GPO? If so any kb or technet link for this? I am sure I can find this within couple minutes of googling, but the more the better.
-
@brianlittlejohn said:
Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.
I really need to start doing this!!!
-
@hobbit666 said:
@brianlittlejohn said:
Create him two accounts, one for normal use, then a second with administrative rights. You should do the same thing for you and not use the built in account.
I really need to start doing this!!!
It pissed me off for a while but once you start using it you realize (or at least I did) how many potentially sketchy as frig things you do on a computer every day
-
@LAH3385 I hope to add someone, more of a helpdesk, though and was wondering the same thing.
-
@wrx7m
I would not be the best person to answer the question.
But If I were adding a help desk to my team I would give him the same setup as what @brianlittlejohn mentioned previously, but limit access to server via remote desktop. Or Simply deny his account altogether. Other than that I think helpdesk needs admin rights and whatnot. -
@LAH3385 said:
@wrx7m
I would not be the best person to answer the question.
But If I were adding a help desk to my team I would give him the same setup as what @brianlittlejohn mentioned previously, but limit access to server via remote desktop. Or Simply deny his account altogether. Other than that I think helpdesk needs admin rights and whatnot.If he doesn't need domain admin rights you can just promote and account via a GPO as a local admin so he doesn't have unnecessary access.
-
@LAH3385 Yeah, I am going to allow them very limited access to the domain. Probably won't give domain admin. Just allow him local admin under a secondary account to desktops/laptops. I am also going to have to figure out access to AD for things like creating users and password resets etc.