Skip to content
DataMiner DoJo

More results...

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
Search in posts
Search in pages
Log in
Menu
  • Updates & Insights
  • Questions
  • Learning
    • E-learning Courses
    • Empower Replay: Limited Edition
    • Tutorials
    • Open Classroom Training
    • Certification
      • DataMiner Fundamentals
      • DataMiner Configurator
      • DataMiner Automation
      • Scripts & Connectors Developer: HTTP Basics
      • Scripts & Connectors Developer: SNMP Basics
      • Visual Overview – Level 1
      • Verify a certificate
    • Video Library
    • Books We Like
    • >> Go to DataMiner Docs
  • Expert Center
    • Solutions & Use Cases
      • Solutions
      • Use Case Library
    • Markets & Industries
      • Media production
      • Government & defense
      • Content distribution
      • Service providers
      • Partners
      • OSS/BSS
    • Agile
      • Agile Webspace
      • Everything Agile
        • The Agile Manifesto
        • Best Practices
        • Retro Recipes
      • Methodologies
        • The Scrum Framework
        • Kanban
        • Extreme Programming
      • Roles
        • The Product Owner
        • The Agile Coach
        • The Quality & UX Coach (QX)
    • DataMiner DevOps Professional Program
      • About the DevOps Program
      • DataMiner DevOps Support
  • Downloads
  • More
    • DataMiner Releases & Updates
    • Feature Suggestions
    • Climb the leaderboard!
    • Swag Shop
    • Contact
    • Global Feedback Survey
  • PARTNERS
    • All Partners
    • Technology Partners
    • Strategic Partner Program
    • Deal Registration
  • >> Go to dataminer.services

How Disable Windows Administrator in a Production DMS?

Solved5.93K views6th December 2021Administrator best practices security
4
Arturo Lizcano [SLC] [DevOps Member]385 4th December 2021 0 Comments

Hi Everyone,

We have a production DMS (10 DMA) running Dataminer 10 that was installed long ago with the Windows Administrator enabled. Now due to security concerns and best practices we need to disable that account.

The expected result is something like this:

  • Disable the Windows Administrator account entirely
  • Create a new Windows Administrator (with a different name) for OS access and maintenance.
  • Use a Dataminer user (Not Administrator) as the main “built-In” account to manage and administrate the whole DMS.

If this was a Brand-new install, we could choose another account as the Dataminer built-in, However, the system is in production, and that the DMS is synchronized with the (now active) Administrator account:

  1. Is this even possible?
  2. What should we consider when executing the change?
  3. Is there any difference between the Dataminer built-in account during install and any other Dataminer administrator created after?
Arturo Lizcano [SLC] [DevOps Member] Selected answer as best 6th December 2021

2 Answers

  • Active
  • Voted
  • Newest
  • Oldest
8
Wouter Demuynck [SLC] [DevOps Advocate]5.94K Posted 6th December 2021 5 Comments

On an existing DataMiner System you would need the following steps:

  • Create a DataMiner user (e.g. “DataMinerAdmin”) which you add to a DataMiner security group which has full access (permissions & views)
  • Create a new Windows user (e.g. “WindowsAdmin”) and grant this one Administrator access in the Windows OS itself
  • Disable the “Administrator” user at Windows OS level

Notes:

  • I believe DataMiner will keep showing a hardcoded “Administrator” user in its user list and will not allow you to delete it. However, as long as there no enabled matching user at Windows OS level, no-one will be able to log on with this account.
  • After DataMiner upgrades to new versions, you might need to manually enable some new security rights on the custom DataMinerAdmin user.
  • Communication between agents is typically done using machine accounts within the domain. In cases where custom connection strings have been configured using the “Administrator” credentials, these will also have to be updated.
Wouter Demuynck [SLC] [DevOps Advocate] Posted new comment 19th January 2022
Arturo Lizcano [SLC] [DevOps Member] commented 6th December 2021

Thanks a lot for your answer Wouter!

Alberto De Luca commented 7th December 2021

Could this become a feature later on, so that during the installation of the DMA we have an option?

E.g.: – name your default built-in account;
– use the default built-in “Administrator” account,
where this can be left active.

Where servers are on a domain, it can help to define an admin at domain level too.

Wouter Demuynck [SLC] [DevOps Advocate] commented 7th December 2021

Hi Alberto,

What is currently already supported: The installer can automatically create a DataMiner account for the Windows user which is executing the installer (if not executed by “Administrator”). This user ends up in an “Administrators” group created by the installer.

Not possible yet: creating a new local account (or selecting anything else) from the installer. Probably not that big of an issue, as you can further configure DataMiner after installing.

There does exist a task to create a built-in “Administrators” group that has all permissions (and keeps having all permissions after upgrades). With such a group in place, I don’t believe there’s a need to prevent deleting the “Administrator” account as long as there remains at least one member of the Administrators group.

Bruno Nogueira [SLC] commented 19th January 2022

Still on this topic. If one deletes the Administrator account, how does the software know which user to use to communicate to the other Agents in the cluster? Do we need to explicitly configure this on the Connection Strings? Additional Configuration?

Wouter Demuynck [SLC] [DevOps Advocate] commented 19th January 2022

Hi Bruno, it is a misconception that agents communicate with each other using the Administrator account by default.

The default behavior is that the machines try to authenticate using their system/machine account. This usually works as machines are in the same domain.

The default behavior can be overridden by specifying a specific user and password account in the connection string. That’s what typically happens if the agents fail to communicate using the default account they have. The account specified needs to be a DataMiner account which has all permissions.

2
Jens Vandewalle [SLC] [DevOps Enabler]9.44K Posted 6th December 2021 1 Comment

Hi Arturo,

During installation it’s possible to already configure a user with all rights which you can use to log in on the system. This doesn’t mean that this user will become the DataMiner built-in admin user.

Arturo Lizcano [SLC] [DevOps Member] Posted new comment 6th December 2021
Arturo Lizcano [SLC] [DevOps Member] commented 6th December 2021

This is new information, I always thought that was the case.
Thanks for clarifying!

Please login to be able to comment or post an answer.

My DevOps rank

DevOps Members get more insights on their profile page.

My user earnings

0 Dojo credits

Spend your credits in our swag shop.

0 Reputation points

Boost your reputation, climb the leaderboard.

Promo banner DataMiner DevOps Professiona Program
DataMiner Integration Studio (DIS)
Empower Katas
Privacy Policy • Terms & Conditions • Contact

© 2025 Skyline Communications. All rights reserved.

DOJO Q&A widget

Can't find what you need?

? Explore the Q&A DataMiner Docs