![]() (I suspect he intended to keep it as a back-door)). I have my predecessor to thank for not only giving that one full domain admin rights, but also VPN login authority. (I'm just cleaning up after a dose of this fairly recently, where we had a older version of some backup software which stored its creds in clear text in a config file. Got a service running on old / exploitable code? Presto, that exploit now has full domain admin rights. Do not use domain admin accounts for service accounts. maybe, but as others have pointed out, you'll only have to have the experience of a rogue-just-terminated-and-now-the-proud-owner-of-a-seriously-bad-attitude admin destroying a bunch of stuff on his/her way out the door once to wish you'd done it previously.Īnd while we're on topic - service accounts should be just that, service accounts. conversely my SQL admin guy is never going to need to make changes to domain trust relationships. for example, I know my helpdesk guys would NEVER need to login to our SQL boxes as Admin. This may not be practical in your setup, but in mine. Then you can set all of your admins up with their own accounts - the joy of this is, you can limit their access too. By all means keep a "one account to rule them all" - give it a 128 character password and never login to it ever, keep the password documented on an encrypted USB drive in a safe somewhere. So, at least you can consider this a good opportunity to correct that. There definitely should not be a single admin account that you all use to do things on the DC / AD generally. I see lots of other have said this - but I can't spice them up enough. So not only deal with their account, look for new accounts or existing accounts that have been modified recently, look for strange accounts that don't seem tied to an individual, process, or application, but determine if the person leaving had access to secure information that may not have been part of their daily function. Between the company's civil lawsuit against him, and possible federal charges, I don't think will need to worry about finding a job or a place to live. That, and some other things he did have caused the FBI to investigate. It was a pain having to ask for a domain account in order to do what I needed to do, but I understood why.Īnd just recently, I know of an IT person who was terminated, who hacked their YouTube account and deleted 8000+ hours of instructional videos. I was a contractor, and it took them 4 months to assign me my own admin account. I worked at one place where they terminated an administrator, and she did some things to screw them up after she left. I know that all seems like paranoia but you should consider it if you are at a place where it makes sense. ![]() Once they are all gone you may even scan for accounts that are new or accounts where passwords have changed in the last 30 days. There is a lot or risk when an admin leaves so try to cover as much as you can. I've been places where doing so affected only a few things and other places where changing it basically brought down the business. The effect of changing the Domain Admin account will depend greatly on how your environment is setup. If there is a common one change it as well. If you are worried about security - Also disable any remote access credentials they may use. If you have a Domain Admin account, plus an Admin User account for each IT Admin, and possibly a Domain User account for each admin you can then, of course, change or disable their admin accounts and Domain User accounts. Some of our IT Admins are leaving for good thus we need to change some credentials. This is covered well already in other posts. ![]() What are you suggested steps in performing this task? That depends - is the Domain Account the Domain Administrator account? If it is not, then it will only affect logging into your DC servers. Is there any impact if I change the Domain Account that we usually use to login on our DC Servers?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |