Click here to get back home

Safely change the Administrator accounts and names 2003 server
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Safely change the Administrator accounts and names 2003 server Dan 07-11-2007
Posted by Dan on July 11, 2007, 6:15 pm
Please log in for more thread options
 Can I safely change the Domain Administrator account password and name
and still have access to domain clients? I'm concerned that once I
change the administrator account I won't have access to the clients
and will have to bring them all back into the domain to get the GPO
security back. Any cached policies would still be on the laptops
untill they login into the domain correct? Do I even need to worry
about this?
I remmber the SBS 2000 domain controlers would lose there security
ID's if you renamed the Domain Administrator account after Dcpromo.
I'd like to secure the domain controllers as much as possible without
bringing the domain down for an exteneded period of time.

Thanks,


Posted by Steve Riley [MSFT] on July 13, 2007, 12:56 am
Please log in for more thread options
 So long as you have a good (that is, long) password on the domain admin
account, there's really no need to change the name. Account names aren't
designed to be secrets, so don't try to hide accounts by changing their
names.

Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley


> Can I safely change the Domain Administrator account password and name
> and still have access to domain clients? I'm concerned that once I
> change the administrator account I won't have access to the clients
> and will have to bring them all back into the domain to get the GPO
> security back. Any cached policies would still be on the laptops
> untill they login into the domain correct? Do I even need to worry
> about this?
> I remmber the SBS 2000 domain controlers would lose there security
> ID's if you renamed the Domain Administrator account after Dcpromo.
> I'd like to secure the domain controllers as much as possible without
> bringing the domain down for an exteneded period of time.
>
> Thanks,
>

Posted by Special Access on July 13, 2007, 5:25 am
Please log in for more thread options
On Thu, 12 Jul 2007 21:56:45 -0700, "Steve Riley [MSFT]"

>So long as you have a good (that is, long) password on the domain admin
>account, there's really no need to change the name. Account names aren't
>designed to be secrets, so don't try to hide accounts by changing their
>names.
>
>Steve Riley
>steve.riley@microsoft.com
>http://blogs.technet.com/steriley
>
>
>> Can I safely change the Domain Administrator account password and name
>> and still have access to domain clients? I'm concerned that once I
>> change the administrator account I won't have access to the clients
>> and will have to bring them all back into the domain to get the GPO
>> security back. Any cached policies would still be on the laptops
>> untill they login into the domain correct? Do I even need to worry
>> about this?
>> I remmber the SBS 2000 domain controlers would lose there security
>> ID's if you renamed the Domain Administrator account after Dcpromo.
>> I'd like to secure the domain controllers as much as possible without
>> bringing the domain down for an exteneded period of time.
>>
>> Thanks,
>>

while this may be true in the civilian world, the US Gov't world
requires the built-in administrator and guest account names be
changed.

Mike

Posted by LSR on July 13, 2007, 7:50 am
Please log in for more thread options
Special Access wrote:
> On Thu, 12 Jul 2007 21:56:45 -0700, "Steve Riley [MSFT]"
>
>> So long as you have a good (that is, long) password on the domain
>> admin account, there's really no need to change the name. Account
>> names aren't designed to be secrets, so don't try to hide accounts
>> by changing their names.
>>
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>>
>>
>>> Can I safely change the Domain Administrator account password and
>>> name and still have access to domain clients? I'm concerned that
>>> once I change the administrator account I won't have access to the
>>> clients and will have to bring them all back into the domain to get
>>> the GPO security back. Any cached policies would still be on the
>>> laptops untill they login into the domain correct? Do I even need
>>> to worry about this?
>>> I remmber the SBS 2000 domain controlers would lose there security
>>> ID's if you renamed the Domain Administrator account after Dcpromo.
>>> I'd like to secure the domain controllers as much as possible
>>> without bringing the domain down for an exteneded period of time.
>>>
>>> Thanks,
>>>
>
> while this may be true in the civilian world, the US Gov't world
> requires the built-in administrator and guest account names be
> changed.
>
> Mike

We did wonder, after changing the administrator account name, if we could
create an account called "administrator" with Guest (or even fewer)
permissions and a trivial password as we thought this might really frustrate
a hacker when they found it.

--
LSR



Posted by Al Dunbar on July 13, 2007, 7:46 pm
Please log in for more thread options

> Special Access wrote:
>> On Thu, 12 Jul 2007 21:56:45 -0700, "Steve Riley [MSFT]"
>>
>>> So long as you have a good (that is, long) password on the domain
>>> admin account, there's really no need to change the name. Account
>>> names aren't designed to be secrets, so don't try to hide accounts
>>> by changing their names.
>>>
>>> Steve Riley
>>> steve.riley@microsoft.com
>>> http://blogs.technet.com/steriley
>>>
>>>
>>>> Can I safely change the Domain Administrator account password and
>>>> name and still have access to domain clients? I'm concerned that
>>>> once I change the administrator account I won't have access to the
>>>> clients and will have to bring them all back into the domain to get
>>>> the GPO security back. Any cached policies would still be on the
>>>> laptops untill they login into the domain correct? Do I even need
>>>> to worry about this?
>>>> I remmber the SBS 2000 domain controlers would lose there security
>>>> ID's if you renamed the Domain Administrator account after Dcpromo.
>>>> I'd like to secure the domain controllers as much as possible
>>>> without bringing the domain down for an exteneded period of time.
>>>>
>>>> Thanks,
>>>>
>>
>> while this may be true in the civilian world, the US Gov't world
>> requires the built-in administrator and guest account names be
>> changed.
>>
>> Mike
>
> We did wonder, after changing the administrator account name, if we could
> create an account called "administrator" with Guest (or even fewer)
> permissions and a trivial password as we thought this might really
> frustrate a hacker when they found it.

No reason why that would not be possible, as there is nothing special about
the name "administrator". Of course, it is no secret to the hacking
community that renaming the administrator and leaving a fake one for them to
fool around with is commonly done. As a bit of "security by obscurity", it
probably doesn't hurt - just as long as you do not think this is foolproof
or all you need do to secure your system.

/Al



Similar ThreadsPosted
added four server names to the administrator group of a file serve July 16, 2008, 5:31 pm
Use Windows 2003 CA to create a web server certificate with alternative DNS names June 2, 2007, 1:02 pm
Server 2003 change monitor? November 3, 2005, 10:14 am
How to change the minimum password length in a Windows 2003 server July 27, 2006, 8:09 pm
Is it possible to use the Windows 2003 user names instead of pre-Windows 2000 user names in Windows Authentication? September 5, 2006, 9:27 am
Administrator can't change security April 11, 2006, 5:51 pm
Methods for Recovering Administrator Accounts January 28, 2007, 1:21 am
Administrator Approved Controls on Windows 2003 Server June 2, 2005, 9:11 am
Securing Administrator password on a windows 2003 server May 15, 2008, 8:36 pm
Restricting service accounts that have administrator privileges July 8, 2007, 12:10 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap