[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Local Accounts on a Windows 7 Network and Server 2008 R2

Posted on 2011-10-24
13
Medium Priority
?
216 Views
Last Modified: 2012-05-12
I have many Server 2008 R@ networks with Windows 7 clients and Want to know how I should handle local desktop accounts.

Should I just have a local admin account and thats all or should I also have  local accoutn for the common user of that machine?

What about users that use 2-3 different machines in the office? Should they have a local login on each machine they typically use or just domain account?
0
Comment
Question by:ATL74
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 23

Accepted Solution

by:
jakethecatuk earned 888 total points
ID: 37017421
You should really be using domain accounts at all times as it makes management so much easier.  it also allows users to move to different machines and retain settings through roaming profiles (common data folder, printers, drive maps etc.)

local accounts should be discouraged and the local admin account should be disabled and any local user accounts removed from the Windows 7 machines.
 
0
 
LVL 23

Assisted Solution

by:Stelian Stan
Stelian Stan earned 444 total points
ID: 37017429
Do that client have a domain?
I they have a domain you only need a domain account for each user.
0
 
LVL 20

Assisted Solution

by:Iain MacMillan
Iain MacMillan earned 224 total points
ID: 37017450
be mindful about disabling local admin accounts (the default one is disabled by default).  I had some systems where a corrupt domain profile rendered the system useless when it was offshore, even when trying to fix the issue remotely with a DA account.  In the end, we had to use a local admin account, and fix the system & registry from there.

also need a local admin account if you need to use the recovery console or safe mode.
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 

Author Comment

by:ATL74
ID: 37017586
So should I create a local accout with admin access and delete al others? Or just use the default administrator acount.
0
 
LVL 23

Assisted Solution

by:jakethecatuk
jakethecatuk earned 888 total points
ID: 37017599
as IainNIX said...not having a local admin account has it's risks - which I personally have lived with in the past without any problems, but it's personal choice.

you can either leave the admin account enabled with a strong password or create a new account with admin rights and leave the admin account disabled.  either will achieve the same result.
0
 
LVL 23

Assisted Solution

by:Stelian Stan
Stelian Stan earned 444 total points
ID: 37017610
Another option is to enable the local admin account put a strong password and rename the account.
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 444 total points
ID: 37017810
I am just going to highlight the point of using domain accounts for your users. I would limit administrative access as much as possible, but that is a personal choice. If a user does need administrative access, try adding the domain account to his/her computer's local administrators or power users group.
0
 

Author Comment

by:ATL74
ID: 37018322
jakethecatuk:as IainNIX said...not having a local admin account has it's risks - which I personally have lived with in the past without any problems, but it's personal choice.

you can either leave the admin account enabled with a strong password or create a new account with admin rights and leave the admin account disabled.  either will achieve the same result

Any other pros/cons to doing it one way or the other? Is one more secure than the other?
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 444 total points
ID: 37018361
I would either rename the built-in admin account, or just use another one all together. It is common knowledge that the default admin account for a Windows system is "Administrator". That is half of the puzzle an hacker would need to solve to get into any system. A renamed or separate account could be anything and forces the attacker to figure-out two things. I would also disable showing the username of the previously logged-in user (GPO).
0
 
LVL 23

Assisted Solution

by:jakethecatuk
jakethecatuk earned 888 total points
ID: 37018401
Any other pros/cons to doing it one way or the other? Is one more secure than the other?

Not having a local admin account is inherantly more secure, but poses it's own risks which IainNIX has highlighted.  Firebar has also made valid comments about renaming the administrator account or creating a new one.

There is no right/wrong answer with this, and all of the answers above will give you what you want - it's purely down to your preference.  

If you are unsure, start with the simple solution of moving all users to a domain and having a strong password for an administrator account (that is not administrator) on all PC's - it's the one that requires the least amount of effort on your part.  You can then look to increase security over time.
0
 

Author Comment

by:ATL74
ID: 37018501
When doing Maintenance and Such on the domain should you use the administrator account or create another one? Security Speaking.

A lot of the customers I inherited have domain networks and all the admin work is done under the administrator account.

Should this be changed to be more secure on a domain?
0
 
LVL 23

Assisted Solution

by:jakethecatuk
jakethecatuk earned 888 total points
ID: 37018532
at a domain level, the administrator should have a strong password that is stored in a secure place and never used.  anyone that needs to carry out domain admin functions should have their own account so that you have an audit trail of who does what.  even if you are the only administrator, you should still follow this guideline.

if you have inherited a lot of domains, suggest you do the above as that will guarantee that only the people who have an account are doing things on the domain.
0
 

Author Comment

by:ATL74
ID: 37018892
I will make those changes. Thanks for the advice.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An article on effective troubleshooting
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question