What if they Escape from Area 51 and eat the network?
Hello all.
I am going to interrupt myself here to relate a discussion that I had with my colleague Lesley. She is a very sharp cookie indeed. We were reviewing a system and she commented that the system was a member of a domain and yet the local admin account was not disabled. I pondered this for a while. I had heard that our recommendation for business users was to disable the admin account – we also recommend users not running as admin but that wasn’t really an option for me since I was doing a lot of debugging stuff.
Anyway, the reason that we recommend disabling local admin is that in most domains, the only people who have a use for it are hackers. Support staff/system admins will use a domain account that has admin (or at least power user) rights on the local machine. So, I played devil’s advocate. “What”, I said, “if the network has been destroyed by aliens?” Even as I said it, I realized that cached credentials would get the administrator in and Les said it a heartbeat later.
I thought for a moment longer and said “Hmmm. What if the PC was built over RIS, the local admin disabled remotely and there had never been an admin account logged on? Surely you would need the local Admin account then presupposing alien inspired network outage”.
A quick check later and we had our answer. On Windows 2003, you can re-enable the admin account when doing a safe mode boot. See https://support.microsoft.com/kb/814777
I haven’t tried this in Vista yet but I will.
Until next time
Mark
Comments
- Anonymous
May 18, 2007
Hmmm. We haven't been all that consistent here. By default, the administrator account is disabled and that account can not log in from safe mode. However, if this is an upgrade from XP and the admin account was the only account that the machine had, administrator is still enabled. Looks like there is no sensible blanket policy here.