Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Andrzejek on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Logging on to Workstation as a Local Admin instead of Domain Admin

Status
Not open for further replies.

SysAdmMke

Technical User
Jan 18, 2006
34
US
I have a fellow IT Systems Administrator who insists on logging on as the local admin instead of domain admin whenever he works on someones PC.

His reasoning is because if there is malware or a virus, the domain admin account as more access throughout the domain and it could easily affect other PC's because the domain admin account has control over the whole domain versus the local admin account only having access to the PC itself.

A virus or malware is going to affect the machine itself and anything on the network regardless if they are logged on as a domain admin or local admin.

Am I correct or does his theory hold true?

Thanks
Mike
 
There is more than a grain of truth to his thought process.
I have admin privledges on one domain account that is specifically restricted for working on 'non-admin' tasks, and a second with wider range of privledges.
If i am going to work on a known infected machine, it is either going to be as a local admin, removing the machine from the network physically and using standard domain admin, or pulling the drive and slaving it in a sandboxed system (my preference!
 
But there is no real difference between logging as a local admin or logging on as domain admin. You still have the sames rights to the box its just that domain admin allows you to get at shares where the local admin would not. Correct?

-Mike


 
With the setup i have, rights on the computer are identical (as far as i have been able to tell) but rights outside the computer are very different. Some of this may vary depending on how your AD/GP is implemented.

For me, 1 infected workstation is rather simple, if unpleasant to deal with. however, a network of infected workstations is a nightmare only made worse when a server (or 2 or 3) also get infected. Then instead of hours i would be spending days.
 
I would agree there is a slightly lower risk using a local admin rather than a domain level admin account.

Should a virus be started under the Domain Admin account and tried to access network shares it will have more chance of infecting other machines it finds as it will automatically have access.

Unfortunately in many environments the machine admin accounts are synchronized with the same password anyway so this may still be an issue.

In my view it comes back to treating the admin account (in any form) with the respect it deserves.
 
An infected computer with domain admin rights can infect most of the network very quickly; a local administrator account will only compromise the machine.

Our network is locked down quite tightly, but I still practice the same methodology. A workstation should never really need to be logged in as a domain admin.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top