[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Unable to change account properties like: "password never expires", to the Administrator account

Posted on 2004-09-07
14
Medium Priority
?
710 Views
Last Modified: 2010-04-13
I need tthe administrator of my Windows 2000 domain to have a password that expires, like everybody else. To do it, i go to the Account Tab in the properties of the Administrator account and i find that every checkbox from "Password never expires" to the bottom is simply disabled, i cannot change them, and of course the option "Password never expires" is activated.
I think that this is the only account i have this problem with.
I would like to know if it is possible to set an expiration for the administrator account. If its not and this behavior is by design, i would like a reference from Microsoft (article) describing such behavior.

Thanks
0
Comment
Question by:llandajuela
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 21

Expert Comment

by:jvuz
ID: 12003669
Make sure you don't have local admin rights, but domain admin rights.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12006955
Jvuz, is correct. With Domain Admin privileges you can set the settings on the Domain Administrator account. This is just a confirmation, not an answer.

J
0
 

Author Comment

by:llandajuela
ID: 12010551
Of course, i am domain admin and i cannot change just the checkboxes i mentioned, all the rest i can change.
I can change these checkboxes of every other domain account.
0
On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

 
LVL 9

Expert Comment

by:jdeclue
ID: 12015892
Open the Administrator account in active directory, from the properties page, select the Security Tab. Under security, list the permissions that have been granted to Domain Admins. Additionally, what happens if you log in with the Administrator account, can it changes its own properties?

J
0
 

Author Comment

by:llandajuela
ID: 12016694
Every permission is by default, never changed security of any Active Directory object. But if i check them i see that domain admin have privileges to write and read (full control). I believe this is a default behavior, if you take a look at one of your domains you will see it, i have seen it in various different domains of different servers.

No, the administrator os not able to change its own properties.

Doesnt this happen to you? I Took a look at THREE different domains and it was all the same!!!
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12016832
It doesn't. I am not sure why there are differences. Because of this thread I tried to research and see if there are limitation on the account, and I can't find any details on it. I will keep looking.

J
0
 

Author Comment

by:llandajuela
ID: 12019135
Would it be of any help if i would send to you a screen capture so you can see HOW IT LOOKS?, just to make sure we're talking about the same problem here.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12019192
Has the account been moved from the original OU, is it possible that permissions have been changed on the OU in Active Directory?

Experts-Exchange doesn't like people sending emails, if you can post it on a web site and include a link, that is acceptable.

J
0
 

Author Comment

by:llandajuela
ID: 12020298
The account is its default OU (Users)

Not possible for me to post it on a web site, sorry.

In order to clarify, i installed a brand new domain to see what happened, and it was disabled, so everything is in its default configuration, nothing changed.

0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12020402
We are talking about 2 different things. I have the options and I can change them, but... I am sorry I had forgotten the part about the expiration does not apply to the administrator account even when set.

You cannot disable, delete or set an account lock-out on the Administrator account. (You can set an expiration date, but it will not lock out the account when it passes).

J

0
 

Author Comment

by:llandajuela
ID: 12023957
I wish you could see every checkbox disabled from "password never expires" to the bottom.

If you say that you cannot set an expiration date, i would like some official reference from Microsoft.
0
 
LVL 9

Accepted Solution

by:
jdeclue earned 375 total points
ID: 12025823
Ok, I searched all over the Microsoft site, here are some things I found...

"The Administrator account is the one you use when you first set up a workstation or member server. You use this account before you create an account for yourself. The Administrator account is a member of the Administrators group on the workstation or member server.
The Administrator account can never be deleted, disabled, or removed from the Administrators local group, ensuring that you never lock yourself out of the computer by deleting or disabling all the administrative accounts. This feature sets the Administrator account apart from other members of the Administrators local group."
 - User Overview / Administrator Account http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/lsm_local_users.htm

"The Administrator Account -
Administrator is a predefined account that provides complete access to files, directories, services, and other facilities. You can't delete or disable this account. In Active Directory, the Administrator account has domain-wide access and privileges. Otherwise, the Administrator account generally has access only to the local system. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions.
Tip To prevent unauthorized access to the system or domain, be sure to give the account an especially secure password. Also, because this is a known Windows 2000 account, you may want to rename the account as an extra security precaution.
In most instances you won't need to change the basic settings for this account. However, you may need to change its advanced settings, such as membership in particular groups. By default, the Administrator account for a domain is a member of these groups: Administrators, Domain Admins, Domain Users, Enterprise Admins, Schema Admins, and Group Policy Creator Owners. You'll find more information on these groups in the next section."
 -http://www.microsoft.com/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadb.mspx

There is some more information I could not find, on the Microsoft Site, but I know for a fact. You are suppose to be able to Disable the Administrator account for local but not Domain, even if it is disable, it will still work of you log in with Safe Mode. The Domain Administrator account is a built-in account, and while you can change settings, it does have built-in privileges such as Domain Admin etc, that you cannot change. Let me know if this helps.

J
0
 

Author Comment

by:llandajuela
ID: 12042681
Nice research job, i guess that im going to have to accept it as an answer, eventhough i still dont feel i have a clear explanation of why those checboxes are disabled, and yours are not.
Believe me that every domain i install looks the same, im not able to uncheck the "Password never expires" checbox of the Administrator account.

Thank you for your help
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12043214
Sorry about that, wish I could have found a much better explanation. I am pretty surprised that I couldn't find a single document that sums it up!

J
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question