Every Windows 2000 computer stores local users and their passwords in a special part of the registry commonly referred to as the Security Accounts Manager (SAM). When you promote a Windows 2000 server to a domain controller, SAM is no longer used. Instead, accounts are stored in Active Directory.

Domain controllers have a special offline SAM that stores the Administrator account used in the Directory Services Restore mode. Admins use this mode to recover Windows 2000 domain controllers. Since this account is very powerful, you must protect it.

Here are some tips for protecting this account:

* Use a different password for the offline SAM and the Active Directory Administrator account.

* Use a strong password, and change it regularly, in accordance with your password policy.

* Enable auditing for the SAM file located in %systemroot%\System32\Config.

* Physically secure the computer. Since the account isn't accessible when Active Directory is online, physical security is important.

* Protect backups, and don't let them get into the wrong hands.

* If you want to change the offline Administrator password but don't want to restart the domain controller to boot to the Directory Services Restore mode, use the Setpwd.exe utility from Windows 2000 Service Pack 2.

If you used Server Wizard to set up your domain controller, make sure you read Microsoft Knowledge Base article Q271641. This article discusses security issues related to using the Server Wizard.;en-us;Q271641