Ramblings from another nerd on the grid
I was surfing around and stumbled into Chris Henley's blog. In his post at http://blogs.technet.com/chenley/archive/2006/07/13/441642.aspx the question is posted asking how to disable ALL of the local admin accounts on the various machines throughout the network. Smartly, Chris points out a GPO setting that will do this although I must be getting old because I cannot read it. Chris also mentioned Jesper's blog talks about this. So I dug around on Jesper's blog and sure enough, http://blogs.technet.com/jesper_johansson/archive/... talks about disabling the local admin account.
However, I think the context was different and I'm going to add my two cents to this discussion. Jesper said to disable the local admin because he wants anyone that needs admin privilege, to have a unique admin id. This is good for identity purposes so that you can tell which admin is doing what. If multiple people use the same admin id, guess what happens to reasonable doubt in court? So Jesper's suggestion is a very good one.
In the context of the question posed to Chris, it sounds like they want to disable all local admin's but still manage the machines with domain admin's. Sounds good on the surface.
What happens when there is no network connectivity between the machine and the domain? No administration. What happens when the machine is a laptop and is far from the mother ship and something happens that requires admin privilege? Again, with no network connectivity, the admin's can't RDP to the machine, and someone sitting at it cannot login to the domain.
So think long and hard about the scenarios where you need those controls. In a campus setting with a dense population of users that don't travel, the domain model works well. In a mobile workforce where some self service might be appropriate, I'm not sure I'd lock those machines down that far.
What do you think? How do you handle super users?
When you disable the local admin account it's still accessible when you boot in safe mode.
Also, the default for a Windows domain (and correct me if I'm wrong) is to cache the last 10(?) logins and store the hashes in the registry. If the network is not available you can still login to the domain with the cashed credentials.
Sometimes a computer account gets corrupt. When this happens the cached credentials also won't work.
But like i said. Reboot in safe mode and the local admin account is enabled.
Yea, you have to be careful about cached creds. Depending on your factory staging process and the imaging used, cached creds may not be present.
Regarding safe mode, if you are an enterprise admin and have physical access (sitting in front of the machine), hopefully you'll know what the local admin password is if it's a standard build from your corporate desktop standard.
Lots of ifs...
If you give the user the admin password because they are far away, you let the genie out of the bottle.
I didn't mention it but cached creds is actually a security risk. I've been told that you're supposed to set password caching to 0 on office PCs and 1 on Laptops. Makes sense. What happens when there's a problem? The tech nerd shows up and logs in with the Domain Admin password and now that's sitting on their pc where it can be easily extracted and attacked. (I've done this before on my network while doing a security sweep).
Thankfully, there's always safe mode, which really underscores the old saying "without physical security there is no system security".