No announcement yet.

Active Directory administrator account

  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory administrator account

    I have disabled the administrator account in my Ms Windows 2003 Active Directory domain. I have made some adjustments for the newly created administrative account. Just wanting to know if there is anything i would need to do with respect to active directory(synchronization etc..) when the administrator account is disabled. the new administrator account is a member of domain admins/enterprise admins/administrators groups. just wondering if i would need to manually add the new administrative account anywhere in AD

  • #2
    Re: Active Directory administrator account

    So, if you created a new account and added it back to those groups, then I am not sure what your goal is.

    What I would recommend you do, is simply rename (user ID) the administrator account to something else, then create a new account called administrator. The new account called administrator will have a new SID. Do not add the new administrator to any groups. you can disable this new account or leave it enabled and then monitor this account. The real domain admin account could be left disabled until you need it, or leave it enabled and just monitor that one as well. Best monitoring option is via MS SCOM, in my opinion.

    In reality, this provides you very little additional protection. Anyone that has access to your domain will simply do a search for the account with the sid of -500 and they will find it regardless of what you name it.
    JM @ IT Training & Consulting