Hi,
We already allow DataMiner installation under a different local account than the built-in Administrator, in case that account has local admin rights assigned.
Do we also support his in case of a domain account with local admin rights?
If so, how easy/difficult would it be to migrate an existing DataMiner installation from 'local user with admin rights' to 'domain user with admin rights'?
If you are logged in as a domain user with administrative privileges on the system, and you check the box to add the local user to dataminer during the installation setup, then it will add the domain user to the dataminer user list automatically, thus you can install using a domain account with local admin rights in my experience.
It’s not possible from Cube to delete the built-in Administrator account. It might be possible to delete the local Administrator account on the computer itself. As a last resort, there is a method for manually editing the security.xml file that might allow you to delete the built-in Administrator account, but I’m not sure that dataminer wouldn’t just recreate it on restart.
If the goal is to prevent that account from being able to login to dataminer, there is a Local Group Policy security setting that can be set to prevent network login of local account credentials. While this would prevent the account from being accessible, this would also affect all local accounts, and then only domain logins would work in dataminer.
Here is a link with instructions:
https://www.techcrafters.com/portal/en/kb/articles/how-to-block-remote-network-access-for-local-user-accounts-in-windows
Thanks for sharing, Michael – not in Cube, I’m talking about disabling the local built-in at OS layer. If there is a different local user named “Spike” or “Teresa”, with exactly the same privileges, that would be perfectly fine – Security wise, since most attacks are directed to gain admin access, not flagging the “root” user by calling it “Administrator” is considered good practice.
I have a similar use case in one cluster, Ruben.
I've achieved the 1st part by adding a domain "admin" account: this works fine to get access to the system and so on, however I have not been able to test what happens in DataMiner when the old built-in account that was used to build the DMA is disabled.
This is a requirement that is becoming more and more common, similar to getting the root user disabled in a UNIX-like system.
Where this is specified from day 1, installing with a domain account is confirmed above by Michael.
I guess the next step is to test the outcome on a staging system when the following steps are actioned:
Microsoft's reference here
Needless to say, I'm following this thread as this might save me from having to test in my environment too - upvoting your question!
Which OS/DMS versions do you use?
Is it also possible to disable the built-in Administrator on systems that were built with it enabled? Thinking of all the possible places where by default we’d get “Administrator” and if the system can be updated by switching to a domain account with the same privileges.