Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Logging on to Workstation as a Local Admin instead of Domain Admin

Status
Not open for further replies.
SysAdmMke

SysAdmMke

Technical User
Jan 18, 2006
34
US

I have a fellow IT Systems Administrator who insists on logging on as the local admin instead of domain admin whenever he works on someones PC.

His reasoning is because if there is malware or a virus, the domain admin account as more access throughout the domain and it could easily affect other PC's because the domain admin account has control over the whole domain versus the local admin account only having access to the PC itself.

A virus or malware is going to affect the machine itself and anything on the network regardless if they are logged on as a domain admin or local admin.

Am I correct or does his theory hold true?

Thanks
Mike

 
Sort by date Sort by votes
I would say it really doesn’t matter. All your workstations probably have the same local admin passwords so that local admin can access all workstations and more than likely any non-AD servers anyway. If it propagates via shares well you get my point with having all the local admin passwords being the same, you can bypass the domain authentication and use the local accounts because they are all the same. If it exploits a vulnerability in an unpatched workstation, it won’t matter because he logging in as a user with admin rights, it might not even need admin rights to infect the workstation.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Upvote 0 Downvote
Ok, so what your saying is I am not going to infect my network any less by logging on as a Local Workstation admin versus a domain admin?
 
Upvote 0 Downvote
If all your workstations have the same password for the local admin I see almost no reduced risk by using the local admin over the domain admin. The only reduced risk with local admin is it cant access an AD server as they have no local accounts.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
149
ADB100
ADB100
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
375
goombawaho
goombawaho
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
133
hairlessupportmonkey
hairlessupportmonkey
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
409
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
303
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top