Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Logging on to Workstation as a Local Admin instead of Domain Admin

Status
Not open for further replies.
SysAdmMke

SysAdmMke

Technical User
Jan 18, 2006
34
US
I have a fellow IT Systems Administrator who insists on logging on as the local admin instead of domain admin whenever he works on someones PC.

His reasoning is because if there is malware or a virus, the domain admin account as more access throughout the domain and it could easily affect other PC's because the domain admin account has control over the whole domain versus the local admin account only having access to the PC itself.

A virus or malware is going to affect the machine itself and anything on the network regardless if they are logged on as a domain admin or local admin.

Am I correct or does his theory hold true?

Thanks
Mike
 
Sort by date Sort by votes
There is more than a grain of truth to his thought process.
I have admin privledges on one domain account that is specifically restricted for working on 'non-admin' tasks, and a second with wider range of privledges.
If i am going to work on a known infected machine, it is either going to be as a local admin, removing the machine from the network physically and using standard domain admin, or pulling the drive and slaving it in a sandboxed system (my preference!
 
Upvote 0 Downvote
But there is no real difference between logging as a local admin or logging on as domain admin. You still have the sames rights to the box its just that domain admin allows you to get at shares where the local admin would not. Correct?

-Mike


 
Upvote 0 Downvote
With the setup i have, rights on the computer are identical (as far as i have been able to tell) but rights outside the computer are very different. Some of this may vary depending on how your AD/GP is implemented.

For me, 1 infected workstation is rather simple, if unpleasant to deal with. however, a network of infected workstations is a nightmare only made worse when a server (or 2 or 3) also get infected. Then instead of hours i would be spending days.
 
Upvote 0 Downvote
I would agree there is a slightly lower risk using a local admin rather than a domain level admin account.

Should a virus be started under the Domain Admin account and tried to access network shares it will have more chance of infecting other machines it finds as it will automatically have access.

Unfortunately in many environments the machine admin accounts are synchronized with the same password anyway so this may still be an issue.

In my view it comes back to treating the admin account (in any form) with the respect it deserves.
 
Upvote 0 Downvote
An infected computer with domain admin rights can infect most of the network very quickly; a local administrator account will only compromise the machine.

Our network is locked down quite tightly, but I still practice the same methodology. A workstation should never really need to be logged in as a domain admin.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

H
  • Question
Call Pilot 100 - # of times the phone rings before answering machine picks up
Replies
0
Views
611
Huron Oaks
H
K
  • Locked
  • Question
PABX SL1000 to add Ext Operator
Replies
0
Views
434
kennychin
K
idahomitel
  • Locked
  • Question
SX 200 cfna to operator
Replies
0
Views
384
idahomitel
idahomitel
T
  • Locked
  • Solved
Not able to log into my previous account, and there's no "Forget Password"
Replies
15
Views
1K
Chris Miller
Chris Miller
Mirzapur
  • Locked
  • Question
NEC SV9100 Trunk to Trunk Transferred call Not disconnecting issue
Replies
0
Views
501
Mirzapur
Mirzapur

Part and Inventory Search

Sponsor

Back
Top