Solved

Can you disable the reset password for the Administrator account?

Posted on 2004-10-07
9
507 Views
Last Modified: 2010-04-19
Hey Experts,

Quick question here.
We are to lock down a Server (windows 2003) from a specific user.
The user however is Company XYZ's IT manager, however they do not trust him to get into certian areas of the server.
I already know this sounds silly, but he does to some light administrative tasks - reset passwords, manages FTP server, etc.

We are to lock him out of knowing the main Administrator account. We will of course change the password, but....

We need a way to lock the 'Reset Password' fuctionality on the Administrator Account, as he can simply just change the password.

Is there a way to do this?

Thanks
0
Comment
Question by:kenmartenz
9 Comments
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12255323
Rename the Administrator Account Name itself to something like Larry.
Then create a  user called administrator or admin with less than full access.
If he changes that password, you don't care..

Administrative Tools.
  AD for Users and Computers
     Right Click on  Domain
  Properties
  Group Policy
  Edit Default Policy

Computer configuration
Windows settings
local policy
security options
Rename administrator account (on right about 20 items from top)
0
 

Author Comment

by:kenmartenz
ID: 12255656
This will not work ken will see right though this and reset the password on Larry....

We need to prevent the ability of Domain Admins to reset passwords on Administrator (whatever the name).
If not just to that user then revoke the ability in general for all users. We should in the same way be able to assign that ability to a user we trust.

Please help going to XYZ company tomorrow.
 
0
 

Author Comment

by:kenmartenz
ID: 12255663
Again Ken is not an idiot. He is knowledgeable. So this needs to be a security lockdown of windows, not a kluge.

BTW, we have noticed that there a UberAdmins in Server... Like the Schema and Enterprise admins. Is there a way to grant the right to only these groups to reset passwords? This would solve the problem!

Thanks
0
 

Author Comment

by:kenmartenz
ID: 12255672
Hey sorry guys.. I had to write my response like three times for it to take.... I mentioned KEN in my previous comments.  I ment to say let just say that ... 'KEN IS THE IT MANAGER AT COMPANY XYZ"
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 12264375
If the user is a member of the domain admin group then there is nothing that you can do. That is the highest group you can have on a domain.

I refer to the domain admin account as jail wardens - someone has to have the keys. If you don't trust someone to have the keys then they don't become a member of the domain admin group.

You will have to create another group and use delegation to control what this user can do.

Otherwise I will have to dig out a very old quote:
"There are seldem technical problems to management issues".

Simon.
0
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12278867
Glad you found the answer...but , in my scenario, Ken would not be able to reset the password for Larry because you would explicity deny him access.
0
 

Author Comment

by:kenmartenz
ID: 12279423
Again though, How would you do that?

How do you prevent a Domain Admin from resetting any user's password for that fact inside Active Directory Users And Computers?
(right-click .. reset password)

If you know of a way please tell me I would love to know for further use. We have had to for-go locking down the administrator account.

0
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12291478
AD for Computers and Users
Right Click on the new Administrator Name (Larry)
Left Click on Properties
Click on Security
Reset Security as needed for various users and groups, including: [] Reset Password
0
 

Expert Comment

by:jberg69
ID: 12417406
Here's a possible solution.  Create a group that sounds uper important, such as the IT Director Group or Super Network God group.  Add your IT managers account to this group.  You could then use the permissions on the OU the administrator account resides in and specifically deny that new cool sounding group the permission to reset the password.

Or, you could place the Administrator account into an OU, and then deny him the permission to see the OU, then it's hidden from him.  You could deny him the permission to see the account as well.

And to prevent him from taking himself out of the group, you could use the restricted groups policy and place him in there all by himself.  That way he couldn't remove himself from the group.

Sounds like you need a new boss!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now