Local accounts after joining domain

I have installed DV and joined the domain on my Proplus. I'm not quite sure what to do with the Emerson and Administrator accounts now. The Administrator account gets disabled during installation. Emerson is just a local account. I did the complete install logging in with my domain admin credentials. What is the typical application?  When I first tried logging in after install.. I could log in with any account, but in order to get to windows desktop, i had to use the domain admin account. I don't know why the administrator (after enabling) or the Emerson account wouldn't work. 

In the past with workgroups we would primarily use Administrator for well, admins that could get to windows desktop and then a SUPER account that did not have admin privileges and would only be good for DeltaV logon.  

I'm not sure what best practices are with this setup. Oh, i have v15 on a R660 server 2022. I have 2 IDDCs. 

Thanks

10 Replies

  • Local accounts are useful when you need a backdoor into the servers or workstations. Best practice is to avoid any default accounts. Administrator will typically be disabled automatically when using a lot of Emerson automated setup scripts since it is a common default username. I usually create a unique local account via Computer Management and give it the local Administrator group. Then I login with that account and disable the local Emerson account. At the bare minimum, I would give the local Emerson account a strong password. The local Emerson account should be a member of the local Administrators group by default. Note that this is useful only for dealing with Windows OS stuff, not DeltaV.

    From a DeltaV perspective in a domain, almost everything should be logging in via domain users. User Manager will take care of the domain groups/permissions for you. There are specific situations where you may need to create local accounts, and you would use Computer Management on the specific servers or workstations to create those.
  • In reply to Edward S Goh:

    So the only administrator account on the domain should be the domain administrator? All other administrator accounts would be local? User Manager can still propagate those right? For instance i just finished adding a few workstations and my administrator account was disabled. So, I enabled it, set a password. Logged off.. tried to log on only to find out i don't have windows desktop access even though it's an administrator account on the machine. I'm not sure why it's restricted.
  • In reply to TreyB:

    Local administrator accounts are not DeltaV accounts so that account will not be able to access DeltaV functions, such as accessing Windows Desktop via FlexLock. In a domain environment, what you see in User Manager are domain users, and you cannot add the local administrator accounts on each computer or server as DeltaV accounts. Once you are in a domain environment, all routine work is done with domain users usually. So I would be logging into Windows on the workstations with a domain user almost all the time once you have your local administrator account setup the way you want it. If your domain stops functioning (i.e. you are not able to login via domain credentials) then your local administrator account is the only way to get into the computer in front of you for disaster recovery.

    You can have multiple Windows Administrators (checkbox under Account Type in User Manager) for your domain. You could also separate the DeltaV Administrator account and the Windows Administrator accounts too if you want to follow the principle of least privilege. Do you want a single shared super admin account that can do anything on the system so you have less users to manage? Do you want every user to have their own login so that if they quit you just have to disable their account? User management needs a balance of maintainability and security and every site places a different weight on these things.
  • In reply to Edward S Goh:

    Roger that. I think i got it almost working. Just needed that philosophical check. I'm not the system admin, so in the end, i'll let them mange how they want.
  • In reply to Edward S Goh:

    I came across a problem yesterday that has me thinking. I had an issue where deltaV services wouldn't start. So, when it timed out it asked if i wanted to log into windows desktop with a local administrator account. I did so. However, then i couldn't run workstation configuration because I wasn't a domain admin. So, I was forced to basically wipe the machine. I was in a catch 22 where I couldn't log in as domain admin because services didn't start, and i couldn't run the likely fix to get services to start because i wasn't a domain admin. I was hoping there was a solution, but doesn't seem i can make my local account a domain admin. That's not even a group available on my local machine. It was "fine" now because this is a new system.. but that could be a catastrophic issue for a running plant. Is there anyway to allow a domain admin to log into windows desktop if services don't start.. or a way to make a local account a domain admin. Seems to be the only two options and both seem unlikely.
    Thanks
  • In reply to TreyB:

    Are you able to access the windows desktop using the domain administrator? If so, try running regall/ register again.
  • In reply to KeithStThomas:

    idk what that command is in relation to running workstation config or starting services, but no. DeltaV will run through it's process trying to start the service. Once it can't start, it asks if you want to log into the windows desktop with a local administrator account. domain account login at that point is not an option. Which is why i can't run workstation config. I have to run it with an account that is part of Domain Admins.
  • In reply to TreyB:

    regall /register is a wonder drug that can fix weird issues like what you are experiencing. What user did you log into windows with originally? If it is a domain admin, then you are still domain admin once you get to the windows desktop even if you had to use a different DeltaV user to switch from DeltaV Desktop to Windows Desktop.

    I've had cases like this in the past where it seems to be a locked box with the key stuck inside. Once I could reach the windows desktop, I would run regall /register from a cmd window, then run workstation config. This usually clears up the services issue without having to re-image the PC.
  • In reply to KeithStThomas:

    Well, i would have loved to try that. but i'm already wiping the thing. My recent comment was more to the point of how to prevent it in the future. I've not heard of that command before. I'll keep it in mind.

    In regards to the domain admin.. yes, it would seem that if i originally used the domain admin to login it should be good. But.. when i would run workstation config as domain admin (after switching from DV desktop to windows desktop), it would spin like it was starting and then do nothing. Maybe that is not typical and is symptomatic of the other issues i had. So, i had domain admin, which would just spin.. built-in administrator which can never run WC, and Emerson account, which is not and can't be a domain admin. I was 3 strikes.

    I have our impact partner getting me the recovery media for this particular server model we have since i originally used a generic OS installer.
  • In reply to TreyB:

    If you end up locked out of the windows desktop in the future, you can connect to the machines registry remotely (From another domain member) and change the AutoSwitchingEnabled DWORD to 0. This is the the same function as disabling Autoswitch Desktop. A preventative measure is to disable Autoswitch Desktop prior to running wks config.

    When setting up a new DeltaV Workstation node in a domain environment, I always name the computer and join the domain prior to running wks config. Haven’t ran into the lockout issue for several years using this method.

    Hope this helps.