Home / server / Questions / 450589
Accepted
kleefaj
Asked: 2012-11-21 10:44:45 +0800 CST

Should the Windows 7 local administrator profile be enabled if the computer is part of a Windows 2003 domain?

  • 772

Should the Windows 7 local administrator profile be enabled if the computer is part of a Windows 2003 domain?

Users are not administrators on their own workstations. I'm wondering if I need a local administrator account on the computer if I've already logged on once to the computer as the domain administrator.

windows-server-2003

4 Answers

  1. Personally, I enable the local Administrator account via a startup script. (That script also sets the password-- depending on the Customer site it may be a unique password per machine, or a "blanket" password for all machines.)

    This gives me an account to troubleshoot with if the machine's domain trust relationship gets broken. I need them very rarely, but they're nice to have when I do need them.

    I've toyed with creating an Administrator-equivalent account with a randomly-chosen name and random per-machine password and leaving the stock Administrator account disabled but haven't decided to do that. The password also shouldn't be set using a startup script because it would be trivially easy for users to read the script (even if you restrict access to "Domain Computers"-- it's trivially easy for a user to get "Domain Computers" rights in most AD deploymnets). That'll probably be my next iteration...

    • 3
  2. Best Answer

    No, it should not. It's recommended by Microsoft to disable or rename the default Administrator account as a best practice.

    That said, you do want a local administrator, otherwise you'll be in for a big hassle if the machine loses its domain trust (or domain connection) and you need to log in with administrative privileges to correct the issue.

    You can both disable the default admin account and set up a new one with group policy. I take the rename-it-to-a-fictional-character approach.

    • The path to do so (through Group Policy Management Editor) is: Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> Security Options, and you'll see a bunch of relevant options, in particular, Accounts: Administrator account status and Rename administrator account.
    • 3

  3. You'll want to leave it there and enabled in case the machine looses the ability to talk to the domain for some reason (it happens). Without it you'll have no way to remove the machine from the domain and join it back up to the domain. Just make sure that it's got a strong password that the end users don't know what is.

    • 2

  4. It's up to you.

    Reasons to keep:

    • If the domain membership fails, you need a local administrator to rejoin it to the domain.

    Reasons to not keep:

    • If the domain membership fails, you can boot off a recovery CD to get at the files on the computer, then reimage it.
    • 1