Occasionally, in the course of my work, I run across interesting problems, conundrums, insanities, vagaries, and things undescribeable. Though assigning blame is often a simple matter of figuring out who touched something last, ascribing motives to their actions is not. This disconnect is more infuriating when the party responsible is not readily available for comment or immediate strangulation.

Case in point. I set up servers regularly for jobs. One of our areas of specialty is security, and servers have to be built a certain way before they go out the door. It’s not so much a labor-intensive process as a time-consuming one. First the OS has to be brought up, security policies set, database software installed, and finally the specialized door control and alarm suite. It takes several hours to install and double-check. Then it gets shipped wherever, and I hopefully never hear about it again.

So, I thought it was hilarious when I sent out a server on Monday, and it came back on Tuesday. No one could log in. Now, I’m pretty thorough in testing, and I know I didn’t do anything wrong. The technician dropping it off told me that the systems administrator for the client had possibly changed the passwords, and they couldn’t get back in. Odd, I thought, but fine. They could have just asked him for the password. I grabbed my copy of the Offline NT Password & Registry Editor and popped it in, thinking it a simple matter to reset the Administrator password on the Windows 2000 install on this particular server.

And here is where it got interesting, and the full story came out. The spiral of madness leading to less-than-satisfying denoument. The password reset did not work. In addition, when I booted the domain list did not include an entry for XXXXX (THIS COMPUTER) that Windows machines usually have.

It turns out the sysadmin had deleted the local admin account entirely, rather than simply assign a strong password. That was mistake number one. Mistake number two was then removing it from the domain by logging into the primary domain controller and deleting the server entry from the server list.

Let me explain something to any would-be sysadmins. I feel I am entitled to lecture, since I have been in the IT field for almost a decade, and have been an actual sysadmin for 6 years. Also, this lesson is short and simple. DON’T. GODDAM. DELETE. LOCAL. ACCOUNTS. EVER.

Gods damn you straight to the 66th layer of the Abyss, you overzealous morons who do this. This is bad, bad, BAD, ridiculously bad form. If you want security, change the gods-bedamned password. If you want better security, change the NAME ONLY on the Administrator account AND use a strong password. In an absolute worst-case scenario, disable the administrator account. But ALWAYS leave the local admin account there.

The why is simple: because you might need access to it! Shocker! If your domain controller borks for any reason and you have trouble accessing your credentials on your uber-secure server (it does happen), your smug little smirk is going to disappear really fast when you realize you basically locked yourself out of your car, and there’s no AAA to save you. Deleting the local Administrator account does NOT make your server more secure. It makes it obvious just what a hack amateur you are.

So here I am, rebuilding a server. You goddam schmuck, you know who you are.