Confused with Admin accounts
-
I'm a bit confused with the different admin accounts.
When connecting remotely to a server is it best to do so with THE administrator account
or with a user's admin account? What I mean is: "Domain"\administrator or "Domain"/admin-John
I'm confused because what I've seen is some servers have programs and interfaces running on the administrator account with shortcuts, batch files etc and if i log on with my admin account then it loads my desktop with no shortcuts and no interfaces visibly running.
Which account is it best to use?
In total I have access to 3 accounts. local user, domain admin and I have access to the administrator account.
I'm new at this so don't want to mess up.
I hope you can help me understand this.
Thanks -
What I've found in the real world usually there's multiple admins (IT Staff) and each admin typically has their own account that they will use to manage the server/domain. This I believe is better security practice but also had other advantages, such as restricting access for some administrators and having a log of who did what and when (in event viewer).
That's just my experience though. I don't really know what kind of answer Microsoft would want to this kind of question on an exam. -
Yes, I guess you are right.
Each Network is probably run in a different way. More than one Administrator account does seem to make sense. -
Miguel,
Todd Murphy is correct! Ideally, you'd want your admins to have an account with Administrative Privileges and one with regular Domain User privileges. The Domain Admin in theory would never really be used for logon purposes but only for Administrative Privileges. This practices gives the added security where a Domain Admin doesn't accidentally leave themselves logged in and someone is able to take advantage of that account. By having even the Admins logon daily with a regular user account, that Admin is more restricted but he/she can also elevate their own privileges through the UAC credential request--this only elevates credentials for that action...this would be a better practice any day. Even so, most would still find it inconvenient so probably wouldn't do it *sigh*.
So for example, on the server you're logging into, if you have a domain account: Domain\mlopez and an administrator account: Domain\MiguelL. Better practice is to log in with the regular domain account. Then when you must perform some function that requires Administrative Privileges, you should be prompted by the UAC to provide the credentials and then use the credentials: Domain\MiguelL. This will elevate the privileges for just action and not for everything you do!
Cordially,
Ronnie Wong
Host, ITProTV -
In my company we each IT person has two accounts our domain\user & domain\admin. We run day to day on domain\admin, but when we troubleshoot a user or system we elevate to our domain\admin account and do the work. This gives us permissions and access we don't have otherwise and puts our admin-hats on for the work we are about to do.