Hi Everyone,
We have a production DMS (10 DMA) running Dataminer 10 that was installed long ago with the Windows Administrator enabled. Now due to security concerns and best practices we need to disable that account.
The expected result is something like this:
- Disable the Windows Administrator account entirely
- Create a new Windows Administrator (with a different name) for OS access and maintenance.
- Use a Dataminer user (Not Administrator) as the main "built-In" account to manage and administrate the whole DMS.
If this was a Brand-new install, we could choose another account as the Dataminer built-in, However, the system is in production, and that the DMS is synchronized with the (now active) Administrator account:
- Is this even possible?
- What should we consider when executing the change?
- Is there any difference between the Dataminer built-in account during install and any other Dataminer administrator created after?
On an existing DataMiner System you would need the following steps:
- Create a DataMiner user (e.g. "DataMinerAdmin") which you add to a DataMiner security group which has full access (permissions & views)
- Create a new Windows user (e.g. "WindowsAdmin") and grant this one Administrator access in the Windows OS itself
- Disable the "Administrator" user at Windows OS level
Notes:
- I believe DataMiner will keep showing a hardcoded "Administrator" user in its user list and will not allow you to delete it. However, as long as there no enabled matching user at Windows OS level, no-one will be able to log on with this account.
- After DataMiner upgrades to new versions, you might need to manually enable some new security rights on the custom DataMinerAdmin user.
- Communication between agents is typically done using machine accounts within the domain. In cases where custom connection strings have been configured using the "Administrator" credentials, these will also have to be updated.
Could this become a feature later on, so that during the installation of the DMA we have an option?
E.g.: – name your default built-in account;
– use the default built-in “Administrator” account,
where this can be left active.
Where servers are on a domain, it can help to define an admin at domain level too.
Hi Alberto,
What is currently already supported: The installer can automatically create a DataMiner account for the Windows user which is executing the installer (if not executed by “Administrator”). This user ends up in an “Administrators” group created by the installer.
Not possible yet: creating a new local account (or selecting anything else) from the installer. Probably not that big of an issue, as you can further configure DataMiner after installing.
There does exist a task to create a built-in “Administrators” group that has all permissions (and keeps having all permissions after upgrades). With such a group in place, I don’t believe there’s a need to prevent deleting the “Administrator” account as long as there remains at least one member of the Administrators group.
Still on this topic. If one deletes the Administrator account, how does the software know which user to use to communicate to the other Agents in the cluster? Do we need to explicitly configure this on the Connection Strings? Additional Configuration?
Hi Bruno, it is a misconception that agents communicate with each other using the Administrator account by default.
The default behavior is that the machines try to authenticate using their system/machine account. This usually works as machines are in the same domain.
The default behavior can be overridden by specifying a specific user and password account in the connection string. That’s what typically happens if the agents fail to communicate using the default account they have. The account specified needs to be a DataMiner account which has all permissions.
Hi Arturo,
During installation it's possible to already configure a user with all rights which you can use to log in on the system. This doesn't mean that this user will become the DataMiner built-in admin user.
This is new information, I always thought that was the case.
Thanks for clarifying!
Thanks a lot for your answer Wouter!