Hi,
We already allow DataMiner installation under a different local account than the built-in Administrator, in case that account has local admin rights assigned.
Do we also support his in case of a domain account with local admin rights?
If so, how easy/difficult would it be to migrate an existing DataMiner installation from 'local user with admin rights' to 'domain user with admin rights'?
If you are logged in as a domain user with administrative privileges on the system, and you check the box to add the local user to dataminer during the installation setup, then it will add the domain user to the dataminer user list automatically, thus you can install using a domain account with local admin rights in my experience.
It’s not possible from Cube to delete the built-in Administrator account. It might be possible to delete the local Administrator account on the computer itself. As a last resort, there is a method for manually editing the security.xml file that might allow you to delete the built-in Administrator account, but I’m not sure that dataminer wouldn’t just recreate it on restart.
If the goal is to prevent that account from being able to login to dataminer, there is a Local Group Policy security setting that can be set to prevent network login of local account credentials. While this would prevent the account from being accessible, this would also affect all local accounts, and then only domain logins would work in dataminer.
Here is a link with instructions:
https://www.techcrafters.com/portal/en/kb/articles/how-to-block-remote-network-access-for-local-user-accounts-in-windows
Thanks for sharing, Michael – not in Cube, I’m talking about disabling the local built-in at OS layer. If there is a different local user named “Spike” or “Teresa”, with exactly the same privileges, that would be perfectly fine – Security wise, since most attacks are directed to gain admin access, not flagging the “root” user by calling it “Administrator” is considered good practice.
Is it also possible to disable the built-in Administrator on systems that were built with it enabled? Thinking of all the possible places where by default we’d get “Administrator” and if the system can be updated by switching to a domain account with the same privileges.