Solved

Unable to change account properties like: "password never expires", to the Administrator account

Posted on 2004-09-07
14
703 Views
Last Modified: 2010-04-13
I need tthe administrator of my Windows 2000 domain to have a password that expires, like everybody else. To do it, i go to the Account Tab in the properties of the Administrator account and i find that every checkbox from "Password never expires" to the bottom is simply disabled, i cannot change them, and of course the option "Password never expires" is activated.
I think that this is the only account i have this problem with.
I would like to know if it is possible to set an expiration for the administrator account. If its not and this behavior is by design, i would like a reference from Microsoft (article) describing such behavior.

Thanks
0
Comment
Question by:llandajuela
  • 7
  • 6
14 Comments
 
LVL 21

Expert Comment

by:jvuz
ID: 12003669
Make sure you don't have local admin rights, but domain admin rights.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12006955
Jvuz, is correct. With Domain Admin privileges you can set the settings on the Domain Administrator account. This is just a confirmation, not an answer.

J
0
 

Author Comment

by:llandajuela
ID: 12010551
Of course, i am domain admin and i cannot change just the checkboxes i mentioned, all the rest i can change.
I can change these checkboxes of every other domain account.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 9

Expert Comment

by:jdeclue
ID: 12015892
Open the Administrator account in active directory, from the properties page, select the Security Tab. Under security, list the permissions that have been granted to Domain Admins. Additionally, what happens if you log in with the Administrator account, can it changes its own properties?

J
0
 

Author Comment

by:llandajuela
ID: 12016694
Every permission is by default, never changed security of any Active Directory object. But if i check them i see that domain admin have privileges to write and read (full control). I believe this is a default behavior, if you take a look at one of your domains you will see it, i have seen it in various different domains of different servers.

No, the administrator os not able to change its own properties.

Doesnt this happen to you? I Took a look at THREE different domains and it was all the same!!!
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12016832
It doesn't. I am not sure why there are differences. Because of this thread I tried to research and see if there are limitation on the account, and I can't find any details on it. I will keep looking.

J
0
 

Author Comment

by:llandajuela
ID: 12019135
Would it be of any help if i would send to you a screen capture so you can see HOW IT LOOKS?, just to make sure we're talking about the same problem here.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12019192
Has the account been moved from the original OU, is it possible that permissions have been changed on the OU in Active Directory?

Experts-Exchange doesn't like people sending emails, if you can post it on a web site and include a link, that is acceptable.

J
0
 

Author Comment

by:llandajuela
ID: 12020298
The account is its default OU (Users)

Not possible for me to post it on a web site, sorry.

In order to clarify, i installed a brand new domain to see what happened, and it was disabled, so everything is in its default configuration, nothing changed.

0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12020402
We are talking about 2 different things. I have the options and I can change them, but... I am sorry I had forgotten the part about the expiration does not apply to the administrator account even when set.

You cannot disable, delete or set an account lock-out on the Administrator account. (You can set an expiration date, but it will not lock out the account when it passes).

J

0
 

Author Comment

by:llandajuela
ID: 12023957
I wish you could see every checkbox disabled from "password never expires" to the bottom.

If you say that you cannot set an expiration date, i would like some official reference from Microsoft.
0
 
LVL 9

Accepted Solution

by:
jdeclue earned 125 total points
ID: 12025823
Ok, I searched all over the Microsoft site, here are some things I found...

"The Administrator account is the one you use when you first set up a workstation or member server. You use this account before you create an account for yourself. The Administrator account is a member of the Administrators group on the workstation or member server.
The Administrator account can never be deleted, disabled, or removed from the Administrators local group, ensuring that you never lock yourself out of the computer by deleting or disabling all the administrative accounts. This feature sets the Administrator account apart from other members of the Administrators local group."
 - User Overview / Administrator Account http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/lsm_local_users.htm

"The Administrator Account -
Administrator is a predefined account that provides complete access to files, directories, services, and other facilities. You can't delete or disable this account. In Active Directory, the Administrator account has domain-wide access and privileges. Otherwise, the Administrator account generally has access only to the local system. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions.
Tip To prevent unauthorized access to the system or domain, be sure to give the account an especially secure password. Also, because this is a known Windows 2000 account, you may want to rename the account as an extra security precaution.
In most instances you won't need to change the basic settings for this account. However, you may need to change its advanced settings, such as membership in particular groups. By default, the Administrator account for a domain is a member of these groups: Administrators, Domain Admins, Domain Users, Enterprise Admins, Schema Admins, and Group Policy Creator Owners. You'll find more information on these groups in the next section."
 -http://www.microsoft.com/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadb.mspx

There is some more information I could not find, on the Microsoft Site, but I know for a fact. You are suppose to be able to Disable the Administrator account for local but not Domain, even if it is disable, it will still work of you log in with Safe Mode. The Domain Administrator account is a built-in account, and while you can change settings, it does have built-in privileges such as Domain Admin etc, that you cannot change. Let me know if this helps.

J
0
 

Author Comment

by:llandajuela
ID: 12042681
Nice research job, i guess that im going to have to accept it as an answer, eventhough i still dont feel i have a clear explanation of why those checboxes are disabled, and yours are not.
Believe me that every domain i install looks the same, im not able to uncheck the "Password never expires" checbox of the Administrator account.

Thank you for your help
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12043214
Sorry about that, wish I could have found a much better explanation. I am pretty surprised that I couldn't find a single document that sums it up!

J
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrate DFS role 3 857
Cursed with a Windows 2000 Server that needs to copy files 3 723
win2k service packs 5 657
Can’t delete a file 14 179
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Starting your own business is always a daunting process, and for most people it is brand new experience. Avoid the common pitfalls by following these tips to start on the road to success.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question