Each user who performs administrative activities should have a dedicated account to perform those activities. In a Windows environment, the built-in (RID 500) Administrator account should have a complex password set, printed, and locked away in a safe, etc. for emergencies.
A general tenet of security goes like this: You want to know who is performing which (administrative, in this case) activities (i.e. having an audit trail. Sharing accounts blows that out of the water.
Further, you want to be able to cut off an individual's access in case of a breach of password security, termination, etc. Shared accounts don't meet that criteria, either.
Shared, common-use accounts of any type should be considered highly dubious in value, but shared administration credentials are always bad.
re: Windows-specfic considerations like limited Remote Desktop / Terminal Services connections: Be curteous to your fellow admins and don't leave disconected sessions laying around. I've found that social pressure works fairly well in small organizations (i.e. mentioning frequently and loudly the fact that admin XXX doesn't remember to logoff servers). You can always boot other users' disconnected sessions off if you really have to. It adds, maybe, 30 seconds to a connection attempt. In a larger organization, or if it becomes a major problem, you might consider implementing disconnected session timeouts.
A little aside, but one that's probably on-topic since you mentioned an IT consultant: As an IT contractor myself I always request a dedicated administration account for myself, and I demand not to know any "shared" administration credentials. It protects both parties and provides an audit trail. I always want my Customers to feel like they can "lock me out" at a moment's notice (and to actually have that ability, too) because I believe it sends a powerful message that I'm confident in my ability to maintain the relationship with them based on the merits of my skills and the value I provide, not based on some vague feeling that they're "locked in" to me.
This isn't how you upgrade an NT4 domain to active directory. You have 2 options:
- Create a new Active Directory domain and migrate all computers and users into the new domain
- Upgrade the NT4 server to run Server 2003. During the upgrade process, it will convert the domain to Active Directory. Obviously, make sure you have a good backup first.
Here's Microsoft's white paper on the process. I'd consider it required reading.
http://download.microsoft.com/download/2/9/6/2964bd25-6221-45a3-8115-a547cd640cd4/NT4domtoad.doc
Best Answer
This doesn't look like a problem with the account that you're using. It sounds like you have a Computer GPO configured to restrict Windows Update. You can verify this by running
gpresult /Hand viewing the output. It should be obvious where the offending GPO is.If this really is a group membership problem, you can view detailed group information for each account by logging in and running
whoami /groups.