No sure where to post this... One of our enterprise admins was fired & we hired a new one & now I want to perform the most appropriate action, according to MS best practises :) Should I disable his accound & create a new one for new admin including him in every security group he should be in? Or should I delete old admin account? Or should I rename old admin account so that the new one can use it having all rights right away? Any other suggestions? But again: I'm interested in MS best practices way (because we've argued with other admins in this regard :))

Disable the old ID and create a new ID for new admin and assign the permission fo him.Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

you can simple rename the administrator account http://support.microsoft.com/kb/816109 As a best practise you can login to the servers from normal account and where ever you want admin rights you can use run as administrator.Darshana Jayathilake

I know that according to best practices all administrative tasks should be done from normal account using "runas admin" commands :) & of course I know how to rename administrative account :) The question was which way, renaming old admin account or disabling it or even deleting it is the best practice when old admin is fired & new one is hired? You say it's renaming, Biswajit Biswas said it's disabling...I'm confused :(

better to rename administrator account.if you want first create user and add him to administrators,enterprise admins,schema admins and now you can login from that account and disabled the admin account Darshana Jayathilake

Darshana, Looks like either I do not understand you, or you do not understand me. I am not talking about using DOMAIN\administrator account at all, so no need to rename it. I'm talking about.. for example: domain\admin1 - fired administrator account domain\admin2 - hired instead of admin1 account We have a lot of other admins in domain who are even in enterprise admins group, who can create any kind of accounts, including domain admins accounts of course. I was just wondering is "creating new admin account for new employee" is better (at the same time disabling or deleting old admin account)? Or should I just rename old admin account to new one (rename domain\admin1->domain\admin2) & let new employee use it? And finally, what is MS best practices way in such cases? Not the way you like more :)

Hi, I would like to confirm if this is a built-in Administrator? If so, it is recommended to rename or disable the Administrator account as a best practice. The Administrator account is a default member of the Administrators, Domain Admins, Enterprise Admins, Group Policy Creator Owners, and Schema Admins groups in Active Directory. The Administrator account can never be deleted or removed from the Administrators group, but it can be renamed or disabled. Because the Administrator account is known to exist on many versions of Windows, renaming or disabling this account will make it more difficult for malicious users to try and gain access to it. For more information, please refer to the following Microsoft TechNet article: Active Directory Best practices http://technet.microsoft.com/en-us/library/cc778219(WS.10).aspx If not, both deleting and renaming the Administrator account are fine. Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.