Announcement

Collapse
No announcement yet.

Win 7 in domain, local admin

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Win 7 in domain, local admin

    I'm just starting out installing some Win 7 machines in our domain. I know Vista, Win 7 have the default administrator account disabled.

    Do you guys make local admin accounts on machines?

    I'm wondering what happens if all users on the box are standard users and the computer can't communicate with the domain (for whatever reason), I used to be able to just reset the computer account, login to the client machine with the local admin and disjoin it from the domain to a workgroup and back and it worked.

    I have no idea how I'd do this, if Domain Admin credentials are not cached on the box and no domain users were added as administrators.

    Any suggestions are more then welcome.

  • #2
    Re: Win 7 in domain, local admin

    Personally, I prefer to have a local account with admin privileges -- doesnt have to be "The Administrator"

    Doesnt the account you create when you do your initial machine setup have admin permissions?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Win 7 in domain, local admin

      Sure the 1st account has admin permissions, I was just wondering if it's common practice/prefered to remove that account, so there are no local admin account on the machine.

      I guess I need to create one and get creative as far as naming it.

      Comment


      • #4
        Re: Win 7 in domain, local admin

        Concur with that -- creative naming can be FUN
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Win 7 in domain, local admin

          Yes, I would create a new account and make it a member of the local Administrators group. Give a non-standard name so its hard to guess and use a complex password (Mixed case letter, and at least one digit and symbol).

          Comment


          • #6
            Re: Win 7 in domain, local admin

            I usually add my domain admin account to every client and make it a member of the administrator's group. Very useful for fixing issues when another user is logged on and you need to change a system setting and admin credentials are required.
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment


            • #7
              Re: Win 7 in domain, local admin

              As best practice i guess you could do following:
              1. Disable All local Administrator accounts (if not already disabled)
              2. Rename "Administrator" account to something else
              3 In case users can't login for some "domain related issue"your domain accounts won't work either probably, so in this case you just have to use WinPE/BartPE and enable the disabled accounts and you should be able to login with local accounts.

              this IMO is the "safer" way to handle local accounts.

              Comment


              • #8
                Re: Win 7 in domain, local admin

                Originally posted by CypherBit View Post
                I'm just starting out installing some Win 7 machines in our domain. I know Vista, Win 7 have the default administrator account disabled.

                Do you guys make local admin accounts on machines?

                I'm wondering what happens if all users on the box are standard users and the computer can't communicate with the domain (for whatever reason), I used to be able to just reset the computer account, login to the client machine with the local admin and disjoin it from the domain to a workgroup and back and it worked.

                I have no idea how I'd do this, if Domain Admin credentials are not cached on the box and no domain users were added as administrators.

                Any suggestions are more then welcome.
                On new machines I always create my own account e.g. "Companyname", or just plain "User" with a standard password. That way if the client ever wants to take it off the domain, or the domain goes down then at least there's a local admin account ready to use.

                Comment


                • #9
                  Re: Win 7 in domain, local admin

                  Whenever we had a new machine join the Domain, it automatically created a new profile on the machine for the Domain Admin as part of the local admin group on the machine. We could then use that account we the local admin account was disabled. Our network consisted of 700+ pc's, 90+ Cisco switches, 14 Cisco routers, and 20+ Windows servers and 12 T1 lines.

                  Comment

                  Working...
                  X