Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Can you disable the reset password for the Administrator account?

Posted on 2004-10-08
3
Medium Priority
?
257 Views
Last Modified: 2013-12-04
Hey Experts,

In desperate need of assistance
We are to lock down a Server (Windows 2003) from a specific user.
The user however is Company XYZ's IT manager (let's call him Ken), however they do not trust Ken to have access to SQL server where accounting data is stored.
Being the IT Manager Ken is a Domain Admin. He needs this right so he can add users and manager the FTP and other administrative tasks.

We are to lock him out of knowing the main Administrator account. We will of course change the password, but....

We need a way to lock the 'Reset Password' fuctionality on the Administrator Account, as he can simply just change the password.
We need a way into the system no matter what he does....
We've noticed that Windows has uberadmins like schema admin and enterprise admin.. Is there a way to only allow these users/groups access to reset passwords?
If we have to take away his ability to change a password then so be it, there is another person who XYZ trusts who can be given this right.

Please help as we need to do this immediately and XYZ is expecting an answer on this.

Thanks
0
Comment
Question by:kenmartenz
  • 2
3 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12261853
Is the server with SQL in the same domain as the domain in which he has domain admin rights?

A domain admin has full admin rights on all computers in the same domain and there is really no way around this. That is the purpose of the domain admin account.

Here's an article from Microsoft that describes in depth the different built in security groups.


http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_adgroups_9builtin_intro.asp
0
 
LVL 18

Accepted Solution

by:
luv2smile earned 2000 total points
ID: 12261892
Even if you could lock down the administrator account (which defeats the purpose of this account) then that would not stop him from doing anything an administrator could do in that particular domain since he is a domain admin.

I would look into seeing if there is a way to restrict his account in SQL server (I don't know if this is possible since I don't know anything about sql).
0
 
LVL 11

Expert Comment

by:mwnnj
ID: 12264401
Hi kenmartenz,
as a suggestion,you could take a look at this article too:
http://www.databasejournal.com/features/mssql/article.php/3341651
till later
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question