0

If I were to create a admin domain account on a remote Windows Small Business Server (SBS), copy all permissions from the current [default] Administrator account, and then disable the [default] administrator account, then

How can I unlock the newer admin account if it gets locked out (besides a full system restore from a BDR)?

There will be no other admin accounts active on the server, but there will be standard user accounts.

Abhijeet Kasurde
  • 983
  • 9
  • 20
Zero
  • 315
  • 1
  • 5
  • 21

1 Answers1

4

If your domain administrator account gets locked out, you can still log in with cached credentials by disconnecting the server from the network much like you can log in when a password was changed. You will however be unable to access any network resources since that requires a check from the DC.

However, as this is a server ...I strongly recommend against deleting all local administrator accounts as you will not be able to log in as an admin in recovery mode. If it's a security issue, you're no more secure than using a network login as your administrator. Use a strong password.

EDIT: Safe mode will allow access to the local administrator account, so you can still get in regardless. Previous point stands though, don't disable it or else you'll have downtime!

Nathan C
  • 15,059
  • 4
  • 43
  • 62
  • I wish I could find the Technet article, but I'm almost certain that SBS uses the DOMAIN\Administrator account for various services/activities and disabling it can cause issues. It's unique to SBS, but can't find the article that discusses it currently. – TheCleaner Oct 14 '13 at 17:24
  • 1
    Oh btw, the DOMAIN\Administrator account is never fully disabled. A reboot into safe mode will allow login of that account to then change/unlock the "personal domain admin" account. You may want to include that in your answer as well as an option. – TheCleaner Oct 14 '13 at 18:30
  • Ah, good catch. – Nathan C Oct 14 '13 at 18:32