Administrative Accounts and Passwords

To manage the Windows EBS domain, you must use a domain administrator account. During the installation of Windows EBS, you may have used the default Administrator account in Active Directory Domain Services (AD DS) on the Management Server for this purpose. (If you joined Windows EBS to an existing domain, you used an existing account with enterprise privileges.)

To provide an audit trail, it is recommended that you set up a separate account in the Domain Admins group for each user who performs domain administration tasks in Windows EBS. As a best practice, you can disable or rename the default Administrator account in AD DS to make it more difficult for malicious users to try to gain access to it.


The domain administrator account that you used to deploy Windows EBS is also configured by default to run services for System Center Essentials on the Management Server. To change the credentials for the services for System Center Essentials, see Modify Account Credentials in System Center Essentials.

You must use an account that is a member of the Domain Admins group to do the following in Windows EBS:

  • Start the Windows EBS Administration Console

  • Perform administrative tasks in the Windows EBS Administration Console


    You must assign a client access license (CAL) for Windows EBS to the domain administrator account to be able to add computers to the domain.

  • Start RemoteApp sessions from the Administration Console to administrative consoles on the Security Server and the Messaging Server

  • Install and use add-ins for Windows EBS

Because the Windows EBS Administration Console runs with full administrative privileges on the domain, ensure that you use the Management Server only for administrative duties. You should log off this server promptly when you are finished using the Administration Console.

Administrative account on the Security Server

The Security Server is configured with a local administrator account during deployment of Windows EBS. Because of the security roles on the Security Server and because this server is domain-connected, you should take extra precautions with this account. As a best practice, you should disable or rename the local administrator account on the Security Server.

Password policies

Strong passwords are strongly recommended for all administrative accounts. A password is considered strong if it provides an effective defense against unauthorized access. A strong password does not contain all or part of the user account name, and it is a minimum of eight characters long, includes characters from a large character set, and is reset at regular intervals.

The password you create for the local administrator account on the Security Server should differ from the password that you use for the domain administrator account.

For information about creating strong passwords, see Windows Server 2008 Help: Click Start, and then click Help and Support.

It is recommended that you develop and implement a password policy for your organization. You can use Group Policy to manage your password policy. You can use the default password policy settings, or you can modify them to meet the requirements of your organization.

In Windows Server 2008, you can specify multiple password policies and apply different password restrictions and account lockout policies to different groups of users within your domain. For example, to increase the security of privileged accounts, you can apply strict settings to the privileged accounts and then apply less strict settings to the accounts of the other users. Or in some cases, you may want to apply a special password policy for accounts with passwords that synchronize with other data sources.

For more information about configuring password policies in Windows Server 2008, see the Microsoft Web site (