Windows 10: Securing the default Administrator account on main domain server using GPO.

I am looking at securing the default 'Administrator' account in my AD environment using Server 2016 but have a few questions regarding doing so.


I want to restrict the default 'Administrator' account via a GPO, applying settings as per the recommended Microsoft 'Securing Built-In Administrator Accounts in AD' best practices guide.


I use backup administrator accounts for general day-to-day maintenance and do not use the default 'Administrator' account at all.


My question is...

Can I apply a GPO for restrictions to the 'Administrator' account ONLY by changing the GPO filtering scope to point only at that account and removing the 'Authenticated users' group??


I don't want to test this because my server is live and don't want to accidentally lock myself out of the system or cause any headaches.


The server is used as a WebServer and VPN Server for remote user access.


The default 'Administrator' account is disabled and currently has a strong password +20 chars and symbols set.

I only use it if I need to re-image the machine or for disaster recovery, then the account is live and allows me to log in.


Thanks!

:)

 

Server 2003 GPO questions

Hello,
I am working on a GPO in Microsoft Server 2003 for the majority of domain users here at my work and I am having difficulties achieving the results I need.

Details:
I would like to disable all programs on the domain user account except a select few. I have accomplished this through enabling "Only allow specific Windows applications to run" or something of that like in the GPO. I then added the programs I want the domain user to be able to run and it automatically excludes the rest. This worked beautifully however, I do want them to have access to a few installer files on our network drive but when I attempt to open the installer packages, I get a restriction error. More precisely, I get the same error that comes up when I try to open any other applications that are not included in the "Only allow specific Windows applications to run" field. I have scoured the GPO for about a day now and enabled every option I could think of that may allow these installations to run but I have not succeeded in finding it. Anyone have any advice?
Notes:
I have added the account I am monitoring through the GPO as an administrator on each local machine with my domain specified in the domain field.

I am also wondering if there is a setting which allows an admin to bypass the GPO while logged in as the domain user that is governed by said GPO by some form of authentication?

Let me know if any other information is needed. I will provide it as promptly as possible.

Thanks in advance for the help! *Toast :toast:

 

What is a proper way to change the default name of the local administrator account on Server 2012R2?

Hello:

I'm installing Windows Server 2012R2 and I'd like to change the default name of my local administrator account. I've learned two methods:

1. Via Local Security Policy, there is a feature under "Security Options" called "Accounts: Rename Administrator Account"
2. Via Computer Management, under "Local Users & Groups" and withing the "Users" folder, I can Right-Click for a "Rename" option on my default name of "Administrator".

Do both methods accomplish the same goal? Is there a significant caveat I should be aware of with these methods? I just want to implement a best-practice step in a classroom environment that sees a lot of foot traffic.

Thanks.

Incidentally, this server is intended to be the domain controller for our small lab.

 

"This security ID may not be assigned as the owner of this object", when trying to create GPO as Domain Admin

Hi,

I, and a couple of other members in our IT Team who are in the "Domain Administrators" group in active directory have been trying unsuccessfully to create a new GPO in the GPMC.

Delegation is set to allow Domain Admins to create a new GPO, but whenever we try, we're met with the message above; "This security ID may not be assigned as the owner of this object".

I've also tried to create a GPO using the default "Administrator" account on the Domain - unfortunately to no avail.

I've searched through multiple forums already, and have yet to find a solution.

Any help with this issue is thoroughly appreciated.

Thanks,

Harvey