Re: Change local admin passwords on all domain PCs

Again, another desktop deployment question...

I have seen companies assign the local Administrator password during the build process. They also have a domain user account, which is added to the local Administrators group, that has the necessary permissions to join the PC to the domain and perform post-installation tasks.

--

John Policelli,
This posting is provided "AS IS" with no warranties and confers no rights!
http://johnpolicelli.wordpress.com/
----

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message news:ff16fb66d5f38cb0ff6410cdc60@xxxxxxxxxxxxxxxxxxxxxxx
Hello John Policelli [MVP-DS],

How do you handle it with saving the local admin password, when you have to logon locally without the domain? Do you have all of them listed in your office?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Guy,

The requirements you set up now are different than those you included
in your initial post.

My recommendation to avoid using the same password for the local
Administrator is still valid though. It sounds like you need to look
into some of the desktop deployment (MS and non-MS based) solutions
that are on the market. These deal with your requirements.

"Guy Pardoe" <guy@xxxxxxxxxxxxxxxx> wrote in message
news:O4sZ8xAQJHA.3936@xxxxxxxxxxxxxxxxxxxxxxx

Hmmmmm... OK then, let's back up a step.

When a new machine is ordered and comes out of the box, IT has to
join it to the domain, do some configuration and load up some
software for the intended employee. We can't use the intended
employee's account because they don't have admin privileges and can't
install most software.

What account do you use for these "pre-deployment" tasks. If you use
domain admin, then that is cached to the local PC with a risk of also
being cracked. That would be worse.

Taking your point of security, how do you manage this?

Guy

John Policelli [MVP-DS] wrote:

So in other words, if someone cracks the local admin password on one
of your computers, you're ok with them then having the local admin
password to all computers? You may want to rethink your strategy.
Never choose convenience over security.




.

Relevant Pages

  • RE: Why should we disable local administrator accounts?
    ... I understand that you have concerns on disabling local Administrator ... Account on client workstations in SBS domain. ... At least if your local admin passwords are ...
    (microsoft.public.windows.server.sbs)
  • Re: Preventing Users from removing their PC from the Domain
    ... It is the machine local admin that controls disposition of the machine ... valid domain credentials were or were not provided so that the ... account, but you will notice the object displayed with the round red x ... if you are logged on as a local administrator. ...
    (microsoft.public.win2000.security)
  • Re: Automatically making AD users local administrators on computers in SBS 2003
    ... You have to remember that even though you give the user a different account ... to install software and then they logoff and back in as themselves, ... > can use this special local administrator account. ... >> This will automatically give each user that logs in local Admin rights. ...
    (microsoft.public.windows.server.sbs)
  • Re: prevent access to other files
    ... How do you make the domain user account local ... Microsoft MVP (Windows Server System: ... > the problem is:-any user who has a local administrator ... if so, use a unique local admin account name on each machine, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Domain Profiles Borked - Cant Grant Admin Rights - HELP!!!
    ... > status of their account. ... local Admin rights were given to ... > afflicted machine and give them local Admin rights, ... the SID of your users is no longer the same as it was. ...
    (microsoft.public.windowsxp.setup_deployment)
Loading