I haven't used the builtin admin account in an enterprise setting in at least 7 or 8 years after initial configuration of the server (you have to log on with something!). You set a nasty exceedingly long password no one could remember, test it, and then put it in an envelope and put it in a locked drawer or safe of a very high level IT person in the company that would be painful to get it from so it is only used in absolute disaster situations. Then monitor the account for password changes and logins to verify something bad hasn't happened. Alternatively if that is too much work, set the password to some long random password and if you ever need in, you crack it. This works better for non-DCs but is possible in that situation too, just more involved.
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, January 28, 2006 2:26 PM To: [email protected] Subject: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account. There have been times in recent past that certain installs or applications only work under the "500" account aka the real admin account down here in SBSland. In Big server land... do you also find this to be true with apps that need to be installed on the server? For many of you you are obviously remote admin'ing. Do you ..when using that 500 account... accept the risk of that Admin account/password over TS/3389? Only over VPN? Only use that 500 account in certain vlans/subnets/whatevers that obviously we in SBSland never carve up our domain structures in? For SOX purposes only have a documented use of that 500 account? For all other times do you use admin equivalent? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
