Can I delete the local admin account?

[tahoe2]

I want to secure my NT servers. Can I delete the local accounts and just leave domain accounts on there?
Is it possible to rename the local admin account, or change the password?

Thanks,
Corie

 

[wolluf]

You can certainly rename the Administrator account - (In User Manager) - I'd suggest that's best approach here.

 

[tahoe2]

User manager is only available in NT workstation, and User Manager for domains only lets you change domain accounts.
I need to change the local account on several NT servers, but I don't know how.
Our PDC has no local accounts, so I figure it must be OK to just delete the accounts, but I like to be certain.

Thanks,
Corie

 

[wolluf]

Bit confused. Local Adminstrator account is also a Domain Admin account by default (obviously you can change this - I don't know how your user structure is set up). All accounts defined on the server will be 'local' or 'domain' or both depending which groups you put them in. And User Manager for Domains will let you rename any account.

Its obviously up to you, but I'd be uncomfortable without any account which belongs to local Administrator's group on the server being present. What do you do if you need to do any administrative work on the server?

 

[tahoe2]

When I open computer properties and choose user profiles, I get a list of 2, [domain]\admin and [local]\admin. We only have one domain, and the admin account is a different name than 'administrator', but the local account is 'administrator'.
I cannot find any way to change it.

Should I log on locally? Is there a way to change the PW that way?

Corie

 

[wolluf]

Corie - I understand - you're looking at profiles, NOT user accounts. If you've got an account called Administrator (in User manager for Domains), you can rename that account there (but it won't change the profile name).

 

[tahoe2]

So, could a hacker log into the local account that currently has no password? (the previous network mgmt did not secure any local accounts, they also left relaying wide open, I'm still trying to get our domain off various blacklists...)

Also, some of these servers have external IP's.

 

[justcurious]

To select the local admin account, open User Manager for Domains, click on "User/Select Domain" and enter the local host name in the Domain feild. To change the name, highlight it and click on the "User/Rename".

You can disable or delete any other local accounts that are not in use.

If you have no password for the local admin account, there is a very real risk of someone connecting to your server using that account.

 

[MarkPrimo]

Put a password on all accounts! Rename the Administrator account. You can not delete it and you don't want to. If you have account lockout enabled you could get locked out of your system. With the admin account there, you can logon locally and re-enable it. I've had to do just that before and almost couldn't remember the password since I didn't use the admin account for normal logins.

 

[tahoe2]

Thanks! I renamed all the admin accounts in the domain. Someday I'll learn the difference between accounts and profiles, but thats for another day.

Again, thanks everyone!

Corie