Although Active Directory (AD) provides convenient centralized account management for complex domains, it doesn't handle one account management problem: updating passwords for local Administrator accounts that reside on a member server that isn't a domain controller (DC). The more solid a network is, the easier it is to forget that local Administrator accounts also have local passwords. These accounts can be helpful when you need to get into a computer that can't access a DC and the cached credentials of a domain administrator are absent from the system. However, local Administrator accounts are security vulnerabilities if their passwords are weak or aren't updated regularly. (For more information about cached credentials, see the Microsoft article "How Interactive Logon Works," http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/779885d9-e5e9-4f27-9c14-5bbe77b056ba.mspx.)
If you have a solid network infrastructure with user profiles stored centrally, one security option is simply to disable the local Administrator account, or deny access to it if you're on Windows 2000. (For more information about disabling the local Administrator accounts, see the Microsoft article "How to disable the Local Administrator account in Windows," http://support.microsoft.com/?kbid=281140.) Disabling the local Administrator account means you'll no longer have administrative concerns about it, and you can enable the account temporarily for planned offline work. If you should have a workstation OS failure, the worst problem you're likely to face is automatically rebuilding the workstation using the user's data, which should be safely stored on the network. . . .
Register
