Do I need a Local admin account?
in [Security]
|
Prev: Multiple XP Problems - Mainly Dealing with File Sharing
Next: Downloads do not complete - googleads.g.doubleclick.net
From: hwbuerger on 7 Nov 2009 14:35 I plan to have no local account on a Windows XP prof. PC with admin rights. (Administrator Account disabled) For admin rights on the PC's, I plan to add a Domain account to the local administration group. How I insure, that I can login in with admin rights any time even when the PC is not connected to the Domain? Is there a need for a local account with admin rights? Thanks, HW
From: Bruce Chambers on 7 Nov 2009 16:04 hwbuerger wrote: > I plan to have no local account on a Windows XP prof. PC with admin rights. > (Administrator Account disabled) Very unwise. What are you trying to accomplish, beyond making many useful diagnostic and repair techniques useless? > For admin rights on the PC's, I plan to add a Domain account to the local > administration group. That's normal for a domain environment. > How I insure, that I can login in with admin rights any time even when the > PC is not connected to the Domain? Only by having a local account with administrative privileges. > Is there a need for a local account with > admin rights? Yes, of course there needs to be a local admin account. The standard security practice is to rename the built-in Administrator account, set a strong password on it, and use it only to create another accounts for regular use, reserving the Administrator account as a "back door" in case something corrupts your regular account(s). -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot
From: Anteaus on 10 Nov 2009 14:02
You would only be able to login with domain admin credentials if that account had logged-in previously, and the credentials had been cached. Which is basically an unwise assumption to make. So, yes you need a local account. Besides, logging-in to a client computer as domain admin is not a good policy, as it exposes the server(s) to any malware running on the client. Remember that the domain admin account has unlimited power to modify settings on *ANY* domain computer it can see across the wire. "hwbuerger" wrote: > I plan to have no local account on a Windows XP prof. PC with admin rights. > (Administrator Account disabled) > For admin rights on the PC's, I plan to add a Domain account to the local > administration group. > How I insure, that I can login in with admin rights any time even when the > PC is not connected to the Domain? Is there a need for a local account with > admin rights? > Thanks, HW |