Local Accounts on a Windows 7 Network and Server 2008 R2

I have many Server 2008 R@ networks with Windows 7 clients and Want to know how I should handle local desktop accounts.

Should I just have a local admin account and thats all or should I also have  local accoutn for the common user of that machine?

What about users that use 2-3 different machines in the office? Should they have a local login on each machine they typically use or just domain account?
ATL74Asked:
Who is Participating?
 
jakethecatukCommented:
You should really be using domain accounts at all times as it makes management so much easier.  it also allows users to move to different machines and retain settings through roaming profiles (common data folder, printers, drive maps etc.)

local accounts should be discouraged and the local admin account should be disabled and any local user accounts removed from the Windows 7 machines.
 
0
 
Stelian StanNetwork AdministratorCommented:
Do that client have a domain?
I they have a domain you only need a domain account for each user.
0
 
Iain MacMillanIT Regional Manager - UKCommented:
be mindful about disabling local admin accounts (the default one is disabled by default).  I had some systems where a corrupt domain profile rendered the system useless when it was offshore, even when trying to fix the issue remotely with a DA account.  In the end, we had to use a local admin account, and fix the system & registry from there.

also need a local admin account if you need to use the recovery console or safe mode.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
ATL74Author Commented:
So should I create a local accout with admin access and delete al others? Or just use the default administrator acount.
0
 
jakethecatukCommented:
as IainNIX said...not having a local admin account has it's risks - which I personally have lived with in the past without any problems, but it's personal choice.

you can either leave the admin account enabled with a strong password or create a new account with admin rights and leave the admin account disabled.  either will achieve the same result.
0
 
Stelian StanNetwork AdministratorCommented:
Another option is to enable the local admin account put a strong password and rename the account.
0
 
Jason WatkinsIT Project LeaderCommented:
I am just going to highlight the point of using domain accounts for your users. I would limit administrative access as much as possible, but that is a personal choice. If a user does need administrative access, try adding the domain account to his/her computer's local administrators or power users group.
0
 
ATL74Author Commented:
jakethecatuk:as IainNIX said...not having a local admin account has it's risks - which I personally have lived with in the past without any problems, but it's personal choice.

you can either leave the admin account enabled with a strong password or create a new account with admin rights and leave the admin account disabled.  either will achieve the same result

Any other pros/cons to doing it one way or the other? Is one more secure than the other?
0
 
Jason WatkinsIT Project LeaderCommented:
I would either rename the built-in admin account, or just use another one all together. It is common knowledge that the default admin account for a Windows system is "Administrator". That is half of the puzzle an hacker would need to solve to get into any system. A renamed or separate account could be anything and forces the attacker to figure-out two things. I would also disable showing the username of the previously logged-in user (GPO).
0
 
jakethecatukCommented:
Any other pros/cons to doing it one way or the other? Is one more secure than the other?

Not having a local admin account is inherantly more secure, but poses it's own risks which IainNIX has highlighted.  Firebar has also made valid comments about renaming the administrator account or creating a new one.

There is no right/wrong answer with this, and all of the answers above will give you what you want - it's purely down to your preference.  

If you are unsure, start with the simple solution of moving all users to a domain and having a strong password for an administrator account (that is not administrator) on all PC's - it's the one that requires the least amount of effort on your part.  You can then look to increase security over time.
0
 
ATL74Author Commented:
When doing Maintenance and Such on the domain should you use the administrator account or create another one? Security Speaking.

A lot of the customers I inherited have domain networks and all the admin work is done under the administrator account.

Should this be changed to be more secure on a domain?
0
 
jakethecatukCommented:
at a domain level, the administrator should have a strong password that is stored in a secure place and never used.  anyone that needs to carry out domain admin functions should have their own account so that you have an audit trail of who does what.  even if you are the only administrator, you should still follow this guideline.

if you have inherited a lot of domains, suggest you do the above as that will guarantee that only the people who have an account are doing things on the domain.
0
 
ATL74Author Commented:
I will make those changes. Thanks for the advice.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.