[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Can you disable the reset password for the Administrator account?

Posted on 2004-10-07
9
Medium Priority
?
525 Views
Last Modified: 2010-04-19
Hey Experts,

Quick question here.
We are to lock down a Server (windows 2003) from a specific user.
The user however is Company XYZ's IT manager, however they do not trust him to get into certian areas of the server.
I already know this sounds silly, but he does to some light administrative tasks - reset passwords, manages FTP server, etc.

We are to lock him out of knowing the main Administrator account. We will of course change the password, but....

We need a way to lock the 'Reset Password' fuctionality on the Administrator Account, as he can simply just change the password.

Is there a way to do this?

Thanks
0
Comment
Question by:kenmartenz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12255323
Rename the Administrator Account Name itself to something like Larry.
Then create a  user called administrator or admin with less than full access.
If he changes that password, you don't care..

Administrative Tools.
  AD for Users and Computers
     Right Click on  Domain
  Properties
  Group Policy
  Edit Default Policy

Computer configuration
Windows settings
local policy
security options
Rename administrator account (on right about 20 items from top)
0
 

Author Comment

by:kenmartenz
ID: 12255656
This will not work ken will see right though this and reset the password on Larry....

We need to prevent the ability of Domain Admins to reset passwords on Administrator (whatever the name).
If not just to that user then revoke the ability in general for all users. We should in the same way be able to assign that ability to a user we trust.

Please help going to XYZ company tomorrow.
 
0
 

Author Comment

by:kenmartenz
ID: 12255663
Again Ken is not an idiot. He is knowledgeable. So this needs to be a security lockdown of windows, not a kluge.

BTW, we have noticed that there a UberAdmins in Server... Like the Schema and Enterprise admins. Is there a way to grant the right to only these groups to reset passwords? This would solve the problem!

Thanks
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:kenmartenz
ID: 12255672
Hey sorry guys.. I had to write my response like three times for it to take.... I mentioned KEN in my previous comments.  I ment to say let just say that ... 'KEN IS THE IT MANAGER AT COMPANY XYZ"
0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 12264375
If the user is a member of the domain admin group then there is nothing that you can do. That is the highest group you can have on a domain.

I refer to the domain admin account as jail wardens - someone has to have the keys. If you don't trust someone to have the keys then they don't become a member of the domain admin group.

You will have to create another group and use delegation to control what this user can do.

Otherwise I will have to dig out a very old quote:
"There are seldem technical problems to management issues".

Simon.
0
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12278867
Glad you found the answer...but , in my scenario, Ken would not be able to reset the password for Larry because you would explicity deny him access.
0
 

Author Comment

by:kenmartenz
ID: 12279423
Again though, How would you do that?

How do you prevent a Domain Admin from resetting any user's password for that fact inside Active Directory Users And Computers?
(right-click .. reset password)

If you know of a way please tell me I would love to know for further use. We have had to for-go locking down the administrator account.

0
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12291478
AD for Computers and Users
Right Click on the new Administrator Name (Larry)
Left Click on Properties
Click on Security
Reset Security as needed for various users and groups, including: [] Reset Password
0
 

Expert Comment

by:jberg69
ID: 12417406
Here's a possible solution.  Create a group that sounds uper important, such as the IT Director Group or Super Network God group.  Add your IT managers account to this group.  You could then use the permissions on the OU the administrator account resides in and specifically deny that new cool sounding group the permission to reset the password.

Or, you could place the Administrator account into an OU, and then deny him the permission to see the OU, then it's hidden from him.  You could deny him the permission to see the account as well.

And to prevent him from taking himself out of the group, you could use the restricted groups policy and place him in there all by himself.  That way he couldn't remove himself from the group.

Sounds like you need a new boss!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question