Solved

Can you disable the reset password for the Administrator account?

Posted on 2004-10-07
9
520 Views
Last Modified: 2010-04-19
Hey Experts,

Quick question here.
We are to lock down a Server (windows 2003) from a specific user.
The user however is Company XYZ's IT manager, however they do not trust him to get into certian areas of the server.
I already know this sounds silly, but he does to some light administrative tasks - reset passwords, manages FTP server, etc.

We are to lock him out of knowing the main Administrator account. We will of course change the password, but....

We need a way to lock the 'Reset Password' fuctionality on the Administrator Account, as he can simply just change the password.

Is there a way to do this?

Thanks
0
Comment
Question by:kenmartenz
9 Comments
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12255323
Rename the Administrator Account Name itself to something like Larry.
Then create a  user called administrator or admin with less than full access.
If he changes that password, you don't care..

Administrative Tools.
  AD for Users and Computers
     Right Click on  Domain
  Properties
  Group Policy
  Edit Default Policy

Computer configuration
Windows settings
local policy
security options
Rename administrator account (on right about 20 items from top)
0
 

Author Comment

by:kenmartenz
ID: 12255656
This will not work ken will see right though this and reset the password on Larry....

We need to prevent the ability of Domain Admins to reset passwords on Administrator (whatever the name).
If not just to that user then revoke the ability in general for all users. We should in the same way be able to assign that ability to a user we trust.

Please help going to XYZ company tomorrow.
 
0
 

Author Comment

by:kenmartenz
ID: 12255663
Again Ken is not an idiot. He is knowledgeable. So this needs to be a security lockdown of windows, not a kluge.

BTW, we have noticed that there a UberAdmins in Server... Like the Schema and Enterprise admins. Is there a way to grant the right to only these groups to reset passwords? This would solve the problem!

Thanks
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:kenmartenz
ID: 12255672
Hey sorry guys.. I had to write my response like three times for it to take.... I mentioned KEN in my previous comments.  I ment to say let just say that ... 'KEN IS THE IT MANAGER AT COMPANY XYZ"
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 12264375
If the user is a member of the domain admin group then there is nothing that you can do. That is the highest group you can have on a domain.

I refer to the domain admin account as jail wardens - someone has to have the keys. If you don't trust someone to have the keys then they don't become a member of the domain admin group.

You will have to create another group and use delegation to control what this user can do.

Otherwise I will have to dig out a very old quote:
"There are seldem technical problems to management issues".

Simon.
0
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12278867
Glad you found the answer...but , in my scenario, Ken would not be able to reset the password for Larry because you would explicity deny him access.
0
 

Author Comment

by:kenmartenz
ID: 12279423
Again though, How would you do that?

How do you prevent a Domain Admin from resetting any user's password for that fact inside Active Directory Users And Computers?
(right-click .. reset password)

If you know of a way please tell me I would love to know for further use. We have had to for-go locking down the administrator account.

0
 
LVL 16

Expert Comment

by:glenn_1984
ID: 12291478
AD for Computers and Users
Right Click on the new Administrator Name (Larry)
Left Click on Properties
Click on Security
Reset Security as needed for various users and groups, including: [] Reset Password
0
 

Expert Comment

by:jberg69
ID: 12417406
Here's a possible solution.  Create a group that sounds uper important, such as the IT Director Group or Super Network God group.  Add your IT managers account to this group.  You could then use the permissions on the OU the administrator account resides in and specifically deny that new cool sounding group the permission to reset the password.

Or, you could place the Administrator account into an OU, and then deny him the permission to see the OU, then it's hidden from him.  You could deny him the permission to see the account as well.

And to prevent him from taking himself out of the group, you could use the restricted groups policy and place him in there all by himself.  That way he couldn't remove himself from the group.

Sounds like you need a new boss!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question