Solved

Unable to change account properties like: "password never expires", to the Administrator account

Posted on 2004-09-07
14
700 Views
Last Modified: 2010-04-13
I need tthe administrator of my Windows 2000 domain to have a password that expires, like everybody else. To do it, i go to the Account Tab in the properties of the Administrator account and i find that every checkbox from "Password never expires" to the bottom is simply disabled, i cannot change them, and of course the option "Password never expires" is activated.
I think that this is the only account i have this problem with.
I would like to know if it is possible to set an expiration for the administrator account. If its not and this behavior is by design, i would like a reference from Microsoft (article) describing such behavior.

Thanks
0
Comment
Question by:llandajuela
  • 7
  • 6
14 Comments
 
LVL 21

Expert Comment

by:jvuz
Comment Utility
Make sure you don't have local admin rights, but domain admin rights.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Jvuz, is correct. With Domain Admin privileges you can set the settings on the Domain Administrator account. This is just a confirmation, not an answer.

J
0
 

Author Comment

by:llandajuela
Comment Utility
Of course, i am domain admin and i cannot change just the checkboxes i mentioned, all the rest i can change.
I can change these checkboxes of every other domain account.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Open the Administrator account in active directory, from the properties page, select the Security Tab. Under security, list the permissions that have been granted to Domain Admins. Additionally, what happens if you log in with the Administrator account, can it changes its own properties?

J
0
 

Author Comment

by:llandajuela
Comment Utility
Every permission is by default, never changed security of any Active Directory object. But if i check them i see that domain admin have privileges to write and read (full control). I believe this is a default behavior, if you take a look at one of your domains you will see it, i have seen it in various different domains of different servers.

No, the administrator os not able to change its own properties.

Doesnt this happen to you? I Took a look at THREE different domains and it was all the same!!!
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
It doesn't. I am not sure why there are differences. Because of this thread I tried to research and see if there are limitation on the account, and I can't find any details on it. I will keep looking.

J
0
 

Author Comment

by:llandajuela
Comment Utility
Would it be of any help if i would send to you a screen capture so you can see HOW IT LOOKS?, just to make sure we're talking about the same problem here.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Has the account been moved from the original OU, is it possible that permissions have been changed on the OU in Active Directory?

Experts-Exchange doesn't like people sending emails, if you can post it on a web site and include a link, that is acceptable.

J
0
 

Author Comment

by:llandajuela
Comment Utility
The account is its default OU (Users)

Not possible for me to post it on a web site, sorry.

In order to clarify, i installed a brand new domain to see what happened, and it was disabled, so everything is in its default configuration, nothing changed.

0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
We are talking about 2 different things. I have the options and I can change them, but... I am sorry I had forgotten the part about the expiration does not apply to the administrator account even when set.

You cannot disable, delete or set an account lock-out on the Administrator account. (You can set an expiration date, but it will not lock out the account when it passes).

J

0
 

Author Comment

by:llandajuela
Comment Utility
I wish you could see every checkbox disabled from "password never expires" to the bottom.

If you say that you cannot set an expiration date, i would like some official reference from Microsoft.
0
 
LVL 9

Accepted Solution

by:
jdeclue earned 125 total points
Comment Utility
Ok, I searched all over the Microsoft site, here are some things I found...

"The Administrator account is the one you use when you first set up a workstation or member server. You use this account before you create an account for yourself. The Administrator account is a member of the Administrators group on the workstation or member server.
The Administrator account can never be deleted, disabled, or removed from the Administrators local group, ensuring that you never lock yourself out of the computer by deleting or disabling all the administrative accounts. This feature sets the Administrator account apart from other members of the Administrators local group."
 - User Overview / Administrator Account http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/lsm_local_users.htm

"The Administrator Account -
Administrator is a predefined account that provides complete access to files, directories, services, and other facilities. You can't delete or disable this account. In Active Directory, the Administrator account has domain-wide access and privileges. Otherwise, the Administrator account generally has access only to the local system. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions.
Tip To prevent unauthorized access to the system or domain, be sure to give the account an especially secure password. Also, because this is a known Windows 2000 account, you may want to rename the account as an extra security precaution.
In most instances you won't need to change the basic settings for this account. However, you may need to change its advanced settings, such as membership in particular groups. By default, the Administrator account for a domain is a member of these groups: Administrators, Domain Admins, Domain Users, Enterprise Admins, Schema Admins, and Group Policy Creator Owners. You'll find more information on these groups in the next section."
 -http://www.microsoft.com/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadb.mspx

There is some more information I could not find, on the Microsoft Site, but I know for a fact. You are suppose to be able to Disable the Administrator account for local but not Domain, even if it is disable, it will still work of you log in with Safe Mode. The Domain Administrator account is a built-in account, and while you can change settings, it does have built-in privileges such as Domain Admin etc, that you cannot change. Let me know if this helps.

J
0
 

Author Comment

by:llandajuela
Comment Utility
Nice research job, i guess that im going to have to accept it as an answer, eventhough i still dont feel i have a clear explanation of why those checboxes are disabled, and yours are not.
Believe me that every domain i install looks the same, im not able to uncheck the "Password never expires" checbox of the Administrator account.

Thank you for your help
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Sorry about that, wish I could have found a much better explanation. I am pretty surprised that I couldn't find a single document that sums it up!

J
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now