Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain Security Question

Status
Not open for further replies.
InIT4theMoney

InIT4theMoney

IS-IT--Management
Feb 6, 2003
22
GB
We run a Small Business Server with a number of Windows XP Professional PCs. All the PCs are joined to the Domain and when our users are logged on as themselves we are able to use the security settings on various server folders and other resources to grant or deny permissions normally. No problem.

Everything falls apart if we log on to one of our PCs as the LOCAL Administrator. As far as I was aware, local Admin acounts will have a different security ID to the server Admin account, the Domain Admins Group or the Administrators group. Yet a LOCAL Admin can access all the resources on the server that have DOMAIN Admins group permissions, SERVER Administrator permissions or SERVER Administrators group permissions.

This only happens when the local Admin acounts have the same password as the server Administrator account. If the local Admin account password is different then access to server resources is denied. (A pop-up box asks for a user name and password).

My question is: How can a password override the underlying security identifiers? The local Admin acount has no permissions set to enable any access to our server so shouldn't the server be looking at the security ID and denying permission, irrespective of the account name and password?

Any ideas or explanations would be very welcome.

Ian W
 
Sort by date Sort by votes
It is because your admin naming and password strategy is not sound. If a user account is identicle (username and password), you will have access...as you have found. Therefore, you should not use the same username and password in your environment.

1) I would recommend changing the domain admins username and password. Keep this information private. Even create a new account called "administrator" and then disable this account.

2) On your servers create a policy where all local admin accounts are renamed to something standard "LocalADMIN" and create a standard password

3) On your desktops, create a policy where all local admin accounts are renamed to something standard "DeskTopAdmin" and create a standard password.

4) Change all of your password periodically.





Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please contact (Sales@njcomputernetworks.com)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
1K
goombawaho
goombawaho
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
362
ADB100
ADB100
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
829
fredmartinmaine
fredmartinmaine
edgar28
  • Locked
  • Question
Question on Network cards - Windows Server 2019
Replies
1
Views
262
DrB0b
DrB0b
froggy8
  • Locked
  • Question
cant add my windows 7 pc to my domain 1
Replies
3
Views
332
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top