Disabling Local Administrator Accounts
The Administrator account (NT AUTHORITY\Administrator) exists by default on all Microsoft Windows (Windows NT-based) systems and Active Directory domains. It is typically used as a setup and disaster recovery account.
If you must use the local administrator account, only use it during setup and to join the machine to the domain. After this, it should no longer be needed. If the account is needed for recovery or to boot into safe mode, the account will be automatically re-enabled for use only in troubleshooting. Once the system is booted again normally, it is disabled.
Conversely, you could assign passphrases that are random and unique for each computer’s local administrator account. This would prevent propagation using shared local administrator credentials. However, ideally this account should just be disabled.
In the SECMON1 blog post ‘Security Overview – Information Security Essentials’ , we spoke about what the Local Administrator account is for and why it is an essential security measure to disable it.
In this document, we are going to provide some basic steps to assist in disabling this account, as well as providing you with some interesting and important links where you can educate yourself further on this topic and identify other options available to you.