Solved

Can you disable the reset password for the Administrator account?

Posted on 2004-10-08
3
249 Views
Last Modified: 2013-12-04
Hey Experts,

In desperate need of assistance
We are to lock down a Server (Windows 2003) from a specific user.
The user however is Company XYZ's IT manager (let's call him Ken), however they do not trust Ken to have access to SQL server where accounting data is stored.
Being the IT Manager Ken is a Domain Admin. He needs this right so he can add users and manager the FTP and other administrative tasks.

We are to lock him out of knowing the main Administrator account. We will of course change the password, but....

We need a way to lock the 'Reset Password' fuctionality on the Administrator Account, as he can simply just change the password.
We need a way into the system no matter what he does....
We've noticed that Windows has uberadmins like schema admin and enterprise admin.. Is there a way to only allow these users/groups access to reset passwords?
If we have to take away his ability to change a password then so be it, there is another person who XYZ trusts who can be given this right.

Please help as we need to do this immediately and XYZ is expecting an answer on this.

Thanks
0
Comment
Question by:kenmartenz
  • 2
3 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12261853
Is the server with SQL in the same domain as the domain in which he has domain admin rights?

A domain admin has full admin rights on all computers in the same domain and there is really no way around this. That is the purpose of the domain admin account.

Here's an article from Microsoft that describes in depth the different built in security groups.


http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_adgroups_9builtin_intro.asp
0
 
LVL 18

Accepted Solution

by:
luv2smile earned 500 total points
ID: 12261892
Even if you could lock down the administrator account (which defeats the purpose of this account) then that would not stop him from doing anything an administrator could do in that particular domain since he is a domain admin.

I would look into seeing if there is a way to restrict his account in SQL server (I don't know if this is possible since I don't know anything about sql).
0
 
LVL 11

Expert Comment

by:mwnnj
ID: 12264401
Hi kenmartenz,
as a suggestion,you could take a look at this article too:
http://www.databasejournal.com/features/mssql/article.php/3341651
till later
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now