In desperate need of assistance
We are to lock down a Server (Windows 2003) from a specific user.
The user however is Company XYZ's IT manager (let's call him Ken), however they do not trust Ken to have access to SQL server where accounting data is stored.
Being the IT Manager Ken is a Domain Admin. He needs this right so he can add users and manager the FTP and other administrative tasks.
We are to lock him out of knowing the main Administrator account. We will of course change the password, but....
We need a way to lock the 'Reset Password' fuctionality on the Administrator Account, as he can simply just change the password.
We need a way into the system no matter what he does....
We've noticed that Windows has uberadmins like schema admin and enterprise admin.. Is there a way to only allow these users/groups access to reset passwords?
If we have to take away his ability to change a password then so be it, there is another person who XYZ trusts who can be given this right.
Please help as we need to do this immediately and XYZ is expecting an answer on this.