What are the limitations, if any, of disabling the default administrator account?
Our security group wants us to disable the default Administrator account, and I was under the impression that doing that is not recommended but why?
Will some functionality not work? We are on version 4.3 SP1.
I can’t find any definitive information on this in the documentation or SAP support site.
Thanks.
I don’t know if there is anything documented but I have encountered things in the past that only the Administrator account could do. Even over an Enterprise account that is a member of the Administrators group.
I think disabling it is rather extreme. I think they should provide justification for doing so even though they may not.
It would be better to have the password for the account in a location where access was restricted and logged. You could certainly create a report off of the Audit database to audit anything that the Administrator account does in the system.
As far as I know, a full system recovery can only be done by the original administrator user.
I would never deactivate it (and I’m not even sure if that is possible at all).
It is a bit like the root user in a UNIX system: I would always recommend to use personalized admin users for the all-day work (e.g., to know who has done important system changes so you know who to contact in case you need it), and it is a good idea to store the administrator account information in a safe place, but I would never deactivate it as you might need it in an emergency situation.
John is absolutely spot on with this, I’ve experienced it too.
I know what you’re saying but couldn’t you just make the password complex and store it away in a secure password vault somewhere? Generally only Admins should need it and it is very rare but I do need it occasionally. I think you need it for patching for one. Obviously you could enable it but why bother?