Is it possibe to remove local admin on Windows Server?
-
It possible to completely remove the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?
-
@Pete-S
As long as the server isn't a DC you can disable the local admin account. Just make your domain admin, or an account with domain admin rights, part of the local admin group.
-
@WLS-ITGuy said in Is it possibe to remove local admin on Windows Server?:
@Pete-S
As long as the server isn't a DC you can disable the local admin account. Just make your domain admin, or an account with domain admin rights, part of the local admin group.
OK, thanks!
-
A better solution: https://www.microsoft.com/en-us/download/details.aspx?id=46899
-
@Grey said in Is it possibe to remove local admin on Windows Server?:
A better solution: https://www.microsoft.com/en-us/download/details.aspx?id=46899
Definitely a better option.
-
@WLS-ITGuy said in Is it possibe to remove local admin on Windows Server?:
@Grey said in Is it possibe to remove local admin on Windows Server?:
A better solution: https://www.microsoft.com/en-us/download/details.aspx?id=46899
Definitely a better option.
Ah, so it sets a unique password for local admin on every server and saves those password in the AD so people can find out what the password is?
-
@Pete-S said in Is it possibe to remove local admin on Windows Server?:
ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware
-
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Pete-S said in Is it possibe to remove local admin on Windows Server?:
ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware
I agree with @dbeato. When sh$% hits the fan with the server, no networking or no cached credentials, you will long for a local admin account.
I do disable the Administrator account after creating my own local admin with 20+ char strong password. Less worries on both the security and DR front.
-
@Pete-S said in Is it possibe to remove local admin on Windows Server?:
@WLS-ITGuy said in Is it possibe to remove local admin on Windows Server?:
@Grey said in Is it possibe to remove local admin on Windows Server?:
A better solution: https://www.microsoft.com/en-us/download/details.aspx?id=46899
Definitely a better option.
Ah, so it sets a unique password for local admin on every server and saves those password in the AD so people can find out what the password is?
Correct.
-
@pmoncho said in Is it possibe to remove local admin on Windows Server?:
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Pete-S said in Is it possibe to remove local admin on Windows Server?:
ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware
I agree with @dbeato. When sh$% hits the fan with the server, no networking or no cached credentials, you will long for a local admin account.
I do disable the Administrator account after creating my own local admin with 20+ char strong password. Less worries on both the security and DR front.
Yes, but if you have physical or kvm access, even virtual, you can use linux ntpass to turn on the admin account and reset the password. This would be the last resort if you really lost the admin access, which is rare.
-
@Grey said in Is it possibe to remove local admin on Windows Server?:
@pmoncho said in Is it possibe to remove local admin on Windows Server?:
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Pete-S said in Is it possibe to remove local admin on Windows Server?:
ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware
I agree with @dbeato. When sh$% hits the fan with the server, no networking or no cached credentials, you will long for a local admin account.
I do disable the Administrator account after creating my own local admin with 20+ char strong password. Less worries on both the security and DR front.
Yes, but if you have physical or kvm access, even virtual, you can use linux ntpass to turn on the admin account and reset the password. This would be the last resort if you really lost the admin access, which is rare.
Not since UEFI... At least it doesn't work with Windows 10 and subsequent kernels.
-
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Grey said in Is it possibe to remove local admin on Windows Server?:
@pmoncho said in Is it possibe to remove local admin on Windows Server?:
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Pete-S said in Is it possibe to remove local admin on Windows Server?:
ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware
I agree with @dbeato. When sh$% hits the fan with the server, no networking or no cached credentials, you will long for a local admin account.
I do disable the Administrator account after creating my own local admin with 20+ char strong password. Less worries on both the security and DR front.
Yes, but if you have physical or kvm access, even virtual, you can use linux ntpass to turn on the admin account and reset the password. This would be the last resort if you really lost the admin access, which is rare.
Not since UEFI... At least it doesn't work with Windows 10 and subsequent kernels.
I can imagine you had problems because of bitlocker or something similar, but not UEFI, unless the system was locked out to only boot a certain way through config. Maybe you could test a UEFI boot with a Hiren's USB boot just for fun?
-
@Grey said in Is it possibe to remove local admin on Windows Server?:
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Grey said in Is it possibe to remove local admin on Windows Server?:
@pmoncho said in Is it possibe to remove local admin on Windows Server?:
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Pete-S said in Is it possibe to remove local admin on Windows Server?:
ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware
I agree with @dbeato. When sh$% hits the fan with the server, no networking or no cached credentials, you will long for a local admin account.
I do disable the Administrator account after creating my own local admin with 20+ char strong password. Less worries on both the security and DR front.
Yes, but if you have physical or kvm access, even virtual, you can use linux ntpass to turn on the admin account and reset the password. This would be the last resort if you really lost the admin access, which is rare.
Not since UEFI... At least it doesn't work with Windows 10 and subsequent kernels.
I can imagine you had problems because of bitlocker or something similar, but not UEFI, unless the system was locked out to only boot a certain way through config. Maybe you could test a UEFI boot with a Hiren's USB boot just for fun?
I have tried with the latest Hiren's Boot drive and still doesn't work for Windows 10 for some reason in UEFI... Even if it was bitlocker I could always decrypt and then use it if worked properly. At least the old ntpasswd didn't work (this one https://pogostick.net/~pnh/ntpasswd/) With WIndows 10. Just for giggles I will try it on a VM today with this https://www.hirensbootcd.org/howtos/
-
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Grey said in Is it possibe to remove local admin on Windows Server?:
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Grey said in Is it possibe to remove local admin on Windows Server?:
@pmoncho said in Is it possibe to remove local admin on Windows Server?:
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Pete-S said in Is it possibe to remove local admin on Windows Server?:
ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware
I agree with @dbeato. When sh$% hits the fan with the server, no networking or no cached credentials, you will long for a local admin account.
I do disable the Administrator account after creating my own local admin with 20+ char strong password. Less worries on both the security and DR front.
Yes, but if you have physical or kvm access, even virtual, you can use linux ntpass to turn on the admin account and reset the password. This would be the last resort if you really lost the admin access, which is rare.
Not since UEFI... At least it doesn't work with Windows 10 and subsequent kernels.
I can imagine you had problems because of bitlocker or something similar, but not UEFI, unless the system was locked out to only boot a certain way through config. Maybe you could test a UEFI boot with a Hiren's USB boot just for fun?
I have tried with the latest Hiren's Boot drive and still doesn't work for Windows 10 for some reason in UEFI... Even if it was bitlocker I could always decrypt and then use it if worked properly. At least the old ntpasswd didn't work (this one https://pogostick.net/~pnh/ntpasswd/) With WIndows 10. Just for giggles I will try it on a VM today with this https://www.hirensbootcd.org/howtos/
You just use Ubuntu, enable the repo that provides chntpw package to make changes to Windows accounts?
-
@black3dynamite said in Is it possibe to remove local admin on Windows Server?:
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Grey said in Is it possibe to remove local admin on Windows Server?:
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Grey said in Is it possibe to remove local admin on Windows Server?:
@pmoncho said in Is it possibe to remove local admin on Windows Server?:
@dbeato said in Is it possibe to remove local admin on Windows Server?:
@Pete-S said in Is it possibe to remove local admin on Windows Server?:
ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware
I agree with @dbeato. When sh$% hits the fan with the server, no networking or no cached credentials, you will long for a local admin account.
I do disable the Administrator account after creating my own local admin with 20+ char strong password. Less worries on both the security and DR front.
Yes, but if you have physical or kvm access, even virtual, you can use linux ntpass to turn on the admin account and reset the password. This would be the last resort if you really lost the admin access, which is rare.
Not since UEFI... At least it doesn't work with Windows 10 and subsequent kernels.
I can imagine you had problems because of bitlocker or something similar, but not UEFI, unless the system was locked out to only boot a certain way through config. Maybe you could test a UEFI boot with a Hiren's USB boot just for fun?
I have tried with the latest Hiren's Boot drive and still doesn't work for Windows 10 for some reason in UEFI... Even if it was bitlocker I could always decrypt and then use it if worked properly. At least the old ntpasswd didn't work (this one https://pogostick.net/~pnh/ntpasswd/) With WIndows 10. Just for giggles I will try it on a VM today with this https://www.hirensbootcd.org/howtos/
You just use Ubuntu, enable the repo that provides chntpw package to make changes to Windows accounts?
Yeah, I have used that.
