Solved

Can you disable the reset password for the Administrator account?

Posted on 2004-10-07
9
519 Views
Last Modified: 2010-04-19
Hey Experts,

Quick question here.
We are to lock down a Server (windows 2003) from a specific user.
The user however is Company XYZ's IT manager, however they do not trust him to get into certian areas of the server.
I already know this sounds silly, but he does to some light administrative tasks - reset passwords, manages FTP server, etc.

We are to lock him out of knowing the main Administrator account. We will of course change the password, but....

We need a way to lock the 'Reset Password' fuctionality on the Administrator Account, as he can simply just change the password.

Is there a way to do this?

Thanks
0
Comment
Question by:kenmartenz
9 Comments
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12255323
Rename the Administrator Account Name itself to something like Larry.
Then create a  user called administrator or admin with less than full access.
If he changes that password, you don't care..

Administrative Tools.
  AD for Users and Computers
     Right Click on  Domain
  Properties
  Group Policy
  Edit Default Policy

Computer configuration
Windows settings
local policy
security options
Rename administrator account (on right about 20 items from top)
0
 

Author Comment

by:kenmartenz
ID: 12255656
This will not work ken will see right though this and reset the password on Larry....

We need to prevent the ability of Domain Admins to reset passwords on Administrator (whatever the name).
If not just to that user then revoke the ability in general for all users. We should in the same way be able to assign that ability to a user we trust.

Please help going to XYZ company tomorrow.
 
0
 

Author Comment

by:kenmartenz
ID: 12255663
Again Ken is not an idiot. He is knowledgeable. So this needs to be a security lockdown of windows, not a kluge.

BTW, we have noticed that there a UberAdmins in Server... Like the Schema and Enterprise admins. Is there a way to grant the right to only these groups to reset passwords? This would solve the problem!

Thanks
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:kenmartenz
ID: 12255672
Hey sorry guys.. I had to write my response like three times for it to take.... I mentioned KEN in my previous comments.  I ment to say let just say that ... 'KEN IS THE IT MANAGER AT COMPANY XYZ"
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 12264375
If the user is a member of the domain admin group then there is nothing that you can do. That is the highest group you can have on a domain.

I refer to the domain admin account as jail wardens - someone has to have the keys. If you don't trust someone to have the keys then they don't become a member of the domain admin group.

You will have to create another group and use delegation to control what this user can do.

Otherwise I will have to dig out a very old quote:
"There are seldem technical problems to management issues".

Simon.
0
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12278867
Glad you found the answer...but , in my scenario, Ken would not be able to reset the password for Larry because you would explicity deny him access.
0
 

Author Comment

by:kenmartenz
ID: 12279423
Again though, How would you do that?

How do you prevent a Domain Admin from resetting any user's password for that fact inside Active Directory Users And Computers?
(right-click .. reset password)

If you know of a way please tell me I would love to know for further use. We have had to for-go locking down the administrator account.

0
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12291478
AD for Computers and Users
Right Click on the new Administrator Name (Larry)
Left Click on Properties
Click on Security
Reset Security as needed for various users and groups, including: [] Reset Password
0
 

Expert Comment

by:jberg69
ID: 12417406
Here's a possible solution.  Create a group that sounds uper important, such as the IT Director Group or Super Network God group.  Add your IT managers account to this group.  You could then use the permissions on the OU the administrator account resides in and specifically deny that new cool sounding group the permission to reset the password.

Or, you could place the Administrator account into an OU, and then deny him the permission to see the OU, then it's hidden from him.  You could deny him the permission to see the account as well.

And to prevent him from taking himself out of the group, you could use the restricted groups policy and place him in there all by himself.  That way he couldn't remove himself from the group.

Sounds like you need a new boss!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question