Out of the box, the SBS 2008 setup routine disables the default Administrator 500 account:
Disabled Administrator Account
Depending on the method that was used to set up SBS 2008, the domain administrator account’s username and password was defined during the OS set up steps or in the Answer File Generator tool.
Now, something else that is new to us on SBS 2008 is the fact that the newly created domain administrative account will have a password that will expire along with all of the other user accounts.
Password Change Needed Soon
If the Answer File was used to install the SBS 2008 OS, it is a given that the password should be changed as an accidental loss of the USB flash drive would leave the SBS domain vulnerable.
The Answer File situation is mitigated by the fact that changing the default SBS domain password policies in the SBS Console will actually force a password change on all existing SBS users including the domain administrator account.
Keep the mandatory user password reset in mind when the policy is changed if the policy needs to be changed sometime after the server goes into production!
With the need to change that password comes the need to know which installed service accounts depend on the domain admin account too. Services.msc will show the LogOnAs setting for any installed service. To date, we have not seen any installed services that require the use of the domain admin account.
There is an exception to this rule though, as the Credentials used to dynamically update DNS in the DHCP manager will require the password to be reset at the same time or a warning will pop up in the logs indicating dynamic updates are not happening.
DHCP Dynamic Updates Credentials
This same warning appears in the Event Logs on a fresh SBS install until the credentials are set in place too. So, part of the SBS setup routine must be to input the final SBS Domain Admin credentials just prior to delivering the box.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book