ontap icon indicating copy to clipboard operation
ontap copied to clipboard
verified publisher icon NetAppDocs

Clarification needed on default accounts vs built-in accounts

Open estarz opened this issue 1 year ago • 3 comments

Page URL

https://docs.netapp.com/us-en/ontap/ontap-security-hardening/default-admin-accounts.html

Page title

Default administrative accounts

Summary

Never understood there is a difference between built-in accounts and default accounts but apparently there is.

I've always thought the admin account was a built-in, that could be locked but not deleted. I read: There are two default administrative accounts: admin and diag. and "ONTAP cannot remove or rename built-in accounts."

But still a few sections down we delete the admin account. Can we add a list of the built-in account so it's clear which ones cannot be deleted? Just tested deleting admin in one of my lab clusters so now I know admin can be done, some 13 years after starting to work on cDOT as it were :-)

Then we should probably also list autosupport in the default (and built-in) accounts because it's there on all clusters.

Thanks, Erik

Public issues must not contain sensitive information

  • [X] This issue contains no sensitive information.

estarz avatar Sep 25 '24 15:09 estarz

If you delete it, it will work. But after reboot, the accounts will reappear. You should lock it to disable access.

netapp-dtulledg avatar Sep 25 '24 18:09 netapp-dtulledg

Interesting. Just rebooted both nodes in my lab cluster and after logging in again I see the admin account has reappeared.

Then I believe this section in the hardening guide should be change and recommend only locking the admin account. I mean, why provide the commands to delete it if we know it will come back?

estarz avatar Sep 25 '24 18:09 estarz

Hi Dave,

You can delete that part.

We're trying to keep customers from locking themselves out by keeping admin.

Thanks, Dan

From: estarz @.> Sent: Wednesday, September 25, 2024 2:57 PM To: NetAppDocs/ontap @.> Cc: Tulledge, Daniel @.>; Assign @.> Subject: Re: [NetAppDocs/ontap] Clarification needed on default accounts vs built-in accounts (Issue #1485)

EXTERNAL EMAIL - USE CAUTION when clicking links or attachments

Interesting. Just rebooted both nodes in my lab cluster and after logging in again I see the admin account has reappeared.

Then I believe this section in the hardening guide should be change and recommend only locking the admin account. I mean, why provide the commands to delete it if we know it will come back?

— Reply to this email directly, view it on GitHubhttps://github.com/NetAppDocs/ontap/issues/1485#issuecomment-2374916383, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BG4YYAD5IH4WOMJDMXL7XJLZYMBP3AVCNFSM6AAAAABO23J4KWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZUHEYTMMZYGM. You are receiving this because you were assigned.Message ID: @.***>

netapp-dtulledg avatar Sep 25 '24 19:09 netapp-dtulledg

Sorry for the delay. Section has been deleted and revisions should be live next week.

netapp-dbagwell avatar Nov 06 '24 22:11 netapp-dbagwell