Don’t use the user, use the admin

connect and Windows 7:

Nice to know I wasn’t blonde.  I had set up some Windows 7 with SBS 2008 and the first time I set them up I used the user name of the person who was going to be using the system.  I had their password (I check the box to have them change it soon after) and I used http://connect… and it got stuck on SBS_netsetup which is the temporary routine that SBS uses to log on, get the domain set up and do it’s bizness.  Huh.  What did I do wrong I asked? 

So recently I had six Windows 7 that I joined http://connect style and THIS time every one of them I used the “admin trick”.  When you get to the setup screen, don’t choose the option to set the computer up for yourself.  Instead, choose the option to Set the computer up for others.

You will first give the box the domain administrator username and password.  Yeah I know there’s Security blogger/guru/Dr./etc etc I know that when I did this I immediately thought of how I was using domain admin credentials on a local machine and thinking about what he might think of cached credentials on the box.. but if you are that level of paranoia in your firm, set up a domain admin account specifically for this process and then change the password right afterwards.

So anyway you log in with the domain admin and then you get to a screen where you choose the additional folks that will log into the box.  Then the system does it’s normal routine of domain join/install/yadda yadda and the SIX times I’ve used http://connect with this assign computer function, the sbs_netsetup has not gotten stuck.

So that’s my new best practice for setting up Windows 7’s on SBS 2008.  Don’t use the user, use the admin.

2 Thoughts on “Don’t use the user, use the admin

  1. Joe Raby on February 6, 2010 at 3:09 pm said:

    Why would Microsoft allow users the option of joining their own computer to the domain and setting themself up as a domain user anyway? Isn’t that a security risk in itself? (Ok, well maybe not to do with domain access, but should users be allowed to create user and computer accounts in AD by themself?)

    I think best security practices should be followed, and a local admin should only set up accounts for others.

  2. bradley on February 6, 2010 at 3:25 pm said:

    SBS likes to give choices, and the reality of the small business is that you know the person’s username/password and then you click the button to change the password the next time they log on.

    The reality is, it’s you setting up that box, not the real user anyway.

Post Navigation