When installing Active Directory (AD), in the first AD domain, the so-called Forest Root AD Domain, an administrator account is created as part of the creation of the AD domain. This also happens in the respective AD domains when adding additional child or tree root AD domains. The (default) administrator account (RID 500) in any AD domain is always a member of the “administrators” group and the “Domain Admins” group in that same AD domain. When it concerns the Forest Root AD domain, it will also be a member of the “Enterprise Admins” group.
As a best practice, the default administrator account should never be used for anything, except:
- The initial setup of an AD domain;
- Disaster recovery activities for products and/or processes that depend on the usage of the default administrator account;
- Service outage when things are so broken that no (other) account can log in.
With this in mind, the default administrator account can be considered a so-called Break-Glass Account. It is not owned by anyone; therefore, it must be heavily secured in such a way that it cannot be used in any way without the correct steps and authorizations. In addition, I also believe that the number of dependencies should be as low as possible, preferably, even no dependencies. The more dependencies exist to use this account, the more things you will have to manage to make it work. In addition, if any of the dependencies fails for whatever reason, that then prevents the usage of the default administrator account, making it useless in an emergency scenario. Also, the default administrator account is also a very special account with certain “features” that no other account has. Those features are:
- When global catalogs (GC) are unavailable, broken, not ready, or anything else, the default administrator account is the only account that can log on without issues;
- The default administrator account cannot be deleted from the AD domain as it is a built-in account;
- Although the default administrator account can be removed from the “Domain Admins” group as a member, and if applicable the “Enterprise Admins” group, it cannot be removed from the “administrators” group as it is a built-in account;
- The default administrator account cannot be locked out. Well, to be technically correct, it can be locked out, but as soon as the correct password is provided it will unlock automatically. In addition, it still has the same behavior as other accounts;
Figure 3: The Default Administrator Account Being “Locked Out”
- The default administrator account can be disabled, and after certain (special) steps it can still be used, in for example emergency scenario. This will be explained in the next blog post.
Cheers,
Jorge
————————————————————————————————————————————————————-
This posting is provided “AS IS” with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### IAMTEC | Jorge’s Quest For Knowledge ##########################
#################### https://jorgequestforknowledge.wordpress.com/ ###################
————————————————————————————————————————————————————
Identity | Security | Recovery
————————————————————————————————————————————————————-