Solved

Can you disable the reset password for the Administrator account?

Posted on 2004-10-08
3
253 Views
Last Modified: 2013-12-04
Hey Experts,

In desperate need of assistance
We are to lock down a Server (Windows 2003) from a specific user.
The user however is Company XYZ's IT manager (let's call him Ken), however they do not trust Ken to have access to SQL server where accounting data is stored.
Being the IT Manager Ken is a Domain Admin. He needs this right so he can add users and manager the FTP and other administrative tasks.

We are to lock him out of knowing the main Administrator account. We will of course change the password, but....

We need a way to lock the 'Reset Password' fuctionality on the Administrator Account, as he can simply just change the password.
We need a way into the system no matter what he does....
We've noticed that Windows has uberadmins like schema admin and enterprise admin.. Is there a way to only allow these users/groups access to reset passwords?
If we have to take away his ability to change a password then so be it, there is another person who XYZ trusts who can be given this right.

Please help as we need to do this immediately and XYZ is expecting an answer on this.

Thanks
0
Comment
Question by:kenmartenz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12261853
Is the server with SQL in the same domain as the domain in which he has domain admin rights?

A domain admin has full admin rights on all computers in the same domain and there is really no way around this. That is the purpose of the domain admin account.

Here's an article from Microsoft that describes in depth the different built in security groups.


http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_adgroups_9builtin_intro.asp
0
 
LVL 18

Accepted Solution

by:
luv2smile earned 500 total points
ID: 12261892
Even if you could lock down the administrator account (which defeats the purpose of this account) then that would not stop him from doing anything an administrator could do in that particular domain since he is a domain admin.

I would look into seeing if there is a way to restrict his account in SQL server (I don't know if this is possible since I don't know anything about sql).
0
 
LVL 11

Expert Comment

by:mwnnj
ID: 12264401
Hi kenmartenz,
as a suggestion,you could take a look at this article too:
http://www.databasejournal.com/features/mssql/article.php/3341651
till later
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question