Solved

Can you disable the reset password for the Administrator account?

Posted on 2004-10-07
9
521 Views
Last Modified: 2010-04-19
Hey Experts,

Quick question here.
We are to lock down a Server (windows 2003) from a specific user.
The user however is Company XYZ's IT manager, however they do not trust him to get into certian areas of the server.
I already know this sounds silly, but he does to some light administrative tasks - reset passwords, manages FTP server, etc.

We are to lock him out of knowing the main Administrator account. We will of course change the password, but....

We need a way to lock the 'Reset Password' fuctionality on the Administrator Account, as he can simply just change the password.

Is there a way to do this?

Thanks
0
Comment
Question by:kenmartenz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12255323
Rename the Administrator Account Name itself to something like Larry.
Then create a  user called administrator or admin with less than full access.
If he changes that password, you don't care..

Administrative Tools.
  AD for Users and Computers
     Right Click on  Domain
  Properties
  Group Policy
  Edit Default Policy

Computer configuration
Windows settings
local policy
security options
Rename administrator account (on right about 20 items from top)
0
 

Author Comment

by:kenmartenz
ID: 12255656
This will not work ken will see right though this and reset the password on Larry....

We need to prevent the ability of Domain Admins to reset passwords on Administrator (whatever the name).
If not just to that user then revoke the ability in general for all users. We should in the same way be able to assign that ability to a user we trust.

Please help going to XYZ company tomorrow.
 
0
 

Author Comment

by:kenmartenz
ID: 12255663
Again Ken is not an idiot. He is knowledgeable. So this needs to be a security lockdown of windows, not a kluge.

BTW, we have noticed that there a UberAdmins in Server... Like the Schema and Enterprise admins. Is there a way to grant the right to only these groups to reset passwords? This would solve the problem!

Thanks
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 

Author Comment

by:kenmartenz
ID: 12255672
Hey sorry guys.. I had to write my response like three times for it to take.... I mentioned KEN in my previous comments.  I ment to say let just say that ... 'KEN IS THE IT MANAGER AT COMPANY XYZ"
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 12264375
If the user is a member of the domain admin group then there is nothing that you can do. That is the highest group you can have on a domain.

I refer to the domain admin account as jail wardens - someone has to have the keys. If you don't trust someone to have the keys then they don't become a member of the domain admin group.

You will have to create another group and use delegation to control what this user can do.

Otherwise I will have to dig out a very old quote:
"There are seldem technical problems to management issues".

Simon.
0
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12278867
Glad you found the answer...but , in my scenario, Ken would not be able to reset the password for Larry because you would explicity deny him access.
0
 

Author Comment

by:kenmartenz
ID: 12279423
Again though, How would you do that?

How do you prevent a Domain Admin from resetting any user's password for that fact inside Active Directory Users And Computers?
(right-click .. reset password)

If you know of a way please tell me I would love to know for further use. We have had to for-go locking down the administrator account.

0
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12291478
AD for Computers and Users
Right Click on the new Administrator Name (Larry)
Left Click on Properties
Click on Security
Reset Security as needed for various users and groups, including: [] Reset Password
0
 

Expert Comment

by:jberg69
ID: 12417406
Here's a possible solution.  Create a group that sounds uper important, such as the IT Director Group or Super Network God group.  Add your IT managers account to this group.  You could then use the permissions on the OU the administrator account resides in and specifically deny that new cool sounding group the permission to reset the password.

Or, you could place the Administrator account into an OU, and then deny him the permission to see the OU, then it's hidden from him.  You could deny him the permission to see the account as well.

And to prevent him from taking himself out of the group, you could use the restricted groups policy and place him in there all by himself.  That way he couldn't remove himself from the group.

Sounds like you need a new boss!
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to run the DNS query from the server? 5 88
Event ID: 5719 / Source: NETLOGON 9 167
ticket bloat 3 70
Hyper-V won't start Server 2003 as a guest OS 7 104
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question