Anyone still using local admin accounts on servers?

davidbeckham

davidbeckham

New Member
Reaction score
0
Location
FL, USA
We’re reviewing some older systems and noticed a few still have shared local admin accounts floating around.

I know best practice is to avoid that, but I’m wondering how common it actually still is in the wild.
 
Assuming you are talking about Windows server, every organization I have ever worked at has a Directory Services Restore Mode (DSRM) Administrator on the Domain Controllers, and this account cannot even be used during normal operation... have to boot into Directory Service Restored Mode.

Member servers most properly managed organizations use LAPS (the Microsoft Local Administrator Password Solution), so each server has a different Local Administrator Password.
 
Not sure of your context here.
"shared"...."local admin account"....on a "server".
This "server"...is it a "domain controller"? Usually on a DC, once you've promoted it to a DC, you always log in with a "domain admin" account...not a local account. Same with member servers of that domain, once you've joined the domain, you always log in with a domain admin account. Technically you can log in with a local account..but...it's just...there's no purpose to that, you don't use that again.

"shared"....very rarely, with just a few clients that are larger and have their own in-house IT people...they will have their domain user admin accounts that they log in with...and we're comfortable with their knowledge of administering the server. If that's what you mean by "shared"...as in...allowing the client to log into the server. Majority of our clients don't log in, they don't know what they're doing, and we'd prefer they stay out...they have us to do that stuff.
 
YeOldeStonecat said:
Not sure of your context here.
"shared"...."local admin account"....on a "server".
This "server"...is it a "domain controller"? Usually on a DC, once you've promoted it to a DC, you always log in with a "domain admin" account...not a local account. Same with member servers of that domain, once you've joined the domain, you always log in with a domain admin account. Technically you can log in with a local account..but...it's just...there's no purpose to that, you don't use that again.

"shared"....very rarely, with just a few clients that are larger and have their own in-house IT people...they will have their domain user admin accounts that they log in with...and we're comfortable with their knowledge of administering the server. If that's what you mean by "shared"...as in...allowing the client to log into the server. Majority of our clients don't log in, they don't know what they're doing, and we'd prefer they stay out...they have us to do that stuff.
Click to expand...

./Administrator or similar works only on Member servers. in a domain.... Domain Controllers themselves can logon only with Domain Accounts except when booting into Directory Services Restore Mode...

Either way shared accounts are extremely rare this day and age. About the only account sharing is that an Admin's Domain account likely logs into a LOT of servers, but users of course do not share usernames and passwords.

I guess I am just lucky I work for an organization where we have a large in-house IT department... We have a couple hundred IT folks. That said I actually do not even deal with Active Directory or Windows servers checks and balances and all, but my team does networking only.

Surprisingly my job is not more trouble than it is (here is our two two applications SSL and Microsoft Updates. In the Past hour over 56 thousand users hit 290 thousand URLs downloading about 27.3 Terabytes (not terabits). That is around 76.6 Gbps continuous spent loading webpages like this one... I am glad this stuff pretty much just works without many complaints.

1772733178511.png
 
Last edited:
NETWizz said:
./Administrator or similar works only on Member servers. in a domain.... Domain Controllers themselves can logon only with Domain Accounts except when booting into Directory Services Restore Mode...
Click to expand...

Correct. Been doing Windows Servers since NT 3.5...that's why I said "always log in with a domain account" after mentioning the DC..and the member servers was a few sentences after that.
 
You must log in or register to reply here.

Similar threads

callthatgirl
Free Webinar: Managing Your Own Microsoft 365? Admin Settings Every Solo Business Owner Must Know
Replies
2
Views
390
callthatgirl
callthatgirl
callthatgirl
GoDaddy Microsoft 365 Pros and Cons
Replies
9
Views
2K
Your PCMD
Your PCMD
callthatgirl
What small business using Microsoft Exchange + Outlook need to know about DNS
Replies
15
Views
1K
Techli
Techli
tek9
[REQUEST] Does anybody use ScreenConnect on premise?
2
Replies
20
Views
4K
tek9
tek9
callthatgirl
How to Import and Export PST into New Outlook
Replies
0
Views
908
callthatgirl
callthatgirl
Back
Top