Solved

Can you disable the reset password for the Administrator account?

Posted on 2004-10-08
3
250 Views
Last Modified: 2013-12-04
Hey Experts,

In desperate need of assistance
We are to lock down a Server (Windows 2003) from a specific user.
The user however is Company XYZ's IT manager (let's call him Ken), however they do not trust Ken to have access to SQL server where accounting data is stored.
Being the IT Manager Ken is a Domain Admin. He needs this right so he can add users and manager the FTP and other administrative tasks.

We are to lock him out of knowing the main Administrator account. We will of course change the password, but....

We need a way to lock the 'Reset Password' fuctionality on the Administrator Account, as he can simply just change the password.
We need a way into the system no matter what he does....
We've noticed that Windows has uberadmins like schema admin and enterprise admin.. Is there a way to only allow these users/groups access to reset passwords?
If we have to take away his ability to change a password then so be it, there is another person who XYZ trusts who can be given this right.

Please help as we need to do this immediately and XYZ is expecting an answer on this.

Thanks
0
Comment
Question by:kenmartenz
  • 2
3 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12261853
Is the server with SQL in the same domain as the domain in which he has domain admin rights?

A domain admin has full admin rights on all computers in the same domain and there is really no way around this. That is the purpose of the domain admin account.

Here's an article from Microsoft that describes in depth the different built in security groups.


http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_adgroups_9builtin_intro.asp
0
 
LVL 18

Accepted Solution

by:
luv2smile earned 500 total points
ID: 12261892
Even if you could lock down the administrator account (which defeats the purpose of this account) then that would not stop him from doing anything an administrator could do in that particular domain since he is a domain admin.

I would look into seeing if there is a way to restrict his account in SQL server (I don't know if this is possible since I don't know anything about sql).
0
 
LVL 11

Expert Comment

by:mwnnj
ID: 12264401
Hi kenmartenz,
as a suggestion,you could take a look at this article too:
http://www.databasejournal.com/features/mssql/article.php/3341651
till later
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now