Why is the "Is 'Accounts: Administrator account status' set to 'Disabled'?" check failing in Control Compliance Suite (CCS) when run against domain controllers?


Article ID: 171088


Updated On:


Control Compliance Suite Windows


Running the check called:  Is 'Accounts: Administrator account status' set to 'Disabled'?   (found in CIS standards for Windows 2008 R2) is resulting in FAIL when run against Domain Controllers.  This occurs even when the Administrator account has been disabled in Active Directory.



Working as designed.



CCS 11.x and 12.x


Domain controllers do not have "local" users and "local" groups.  All users and groups on a domain controller are domain accounts and domain groups.

CCS is making a call for the Is 'Accounts: Administrator account status' set to 'Disabled'?  check which is a call against local accounts only.   Since a domain controller's (DC's) administrator account is not "local" the information for this account is kept in a different storage location accessible only by domain API calls, not local calls. 

Therefore even when the administrator account is disabled in Active Directory, the check will be unaware that the account has been disabled and will FAIL (due to the logic in the check).

WARNING:  Because the administrator account on a Domain Controller is often the account that created the domain, certain domain functions can only be done with this account. 

NOTE:  An exception can be created for this check for domain controllers.  This will keep CCS from counting this check against the CVSS score for the DCs.