You are confusing several different user/group objects: 1. The domain account named Administrator 2. The domain group named Domain Admins 3. The local account named Administrator 4. The local group named Administrators (note the "s" at the end)
The security guidelines say that you should rename numbers 1 and 3 above. Default configuration for a domain has: 1. The domain account Administrator is a member of the domain group Domain Admins 2. The domain group Domain Admins is a member of the local group Administrators (with the "s") on each domain member. You could then use the local group Administrators to grant the appropriate NTFS permissions to files/folders. Users that then looked at the NTFS permissions would only see the group name. However for the more technically savvy people out there, renaming the local Administrator account is not fool proof since it has a well-known SID. The built-in Administrator account is the only one that ends in -500. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, July 22, 2004 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Right! My point exactly! So if your policy is to include the Domain Admin in NTFS permissions, there's no point in renaming your Domain Admin account. Thanks Tony. RH ________________________________________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tony Murray Sent: Thursday, July 22, 2004 11:25 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Renaming The Admin Account The admin tools resolve the SID to the friendly name for you. In other words, you're not actually working with the friendly names when viewing or assigning permissions, but this is how it appears to you. Tony ---------- Original Message ---------------------------------- Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Jul 2004 10:25:14 -0400 People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH ------------------------------------------------- Rocky Habeeb Microsoft Systems Administrator ------------------------------------------------- James W. Sewall Company Old Town, Maine ------------------------------------------------- 207.827.4456 habr @ jws.com www.jws.com ------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ________________________________________________________________ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
