• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 267
  • Last Modified:

Can you disable the reset password for the Administrator account?

Hey Experts,

In desperate need of assistance
We are to lock down a Server (Windows 2003) from a specific user.
The user however is Company XYZ's IT manager (let's call him Ken), however they do not trust Ken to have access to SQL server where accounting data is stored.
Being the IT Manager Ken is a Domain Admin. He needs this right so he can add users and manager the FTP and other administrative tasks.

We are to lock him out of knowing the main Administrator account. We will of course change the password, but....

We need a way to lock the 'Reset Password' fuctionality on the Administrator Account, as he can simply just change the password.
We need a way into the system no matter what he does....
We've noticed that Windows has uberadmins like schema admin and enterprise admin.. Is there a way to only allow these users/groups access to reset passwords?
If we have to take away his ability to change a password then so be it, there is another person who XYZ trusts who can be given this right.

Please help as we need to do this immediately and XYZ is expecting an answer on this.

Thanks
0
kenmartenz
Asked:
kenmartenz
  • 2
1 Solution
 
luv2smileCommented:
Is the server with SQL in the same domain as the domain in which he has domain admin rights?

A domain admin has full admin rights on all computers in the same domain and there is really no way around this. That is the purpose of the domain admin account.

Here's an article from Microsoft that describes in depth the different built in security groups.


http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_adgroups_9builtin_intro.asp
0
 
luv2smileCommented:
Even if you could lock down the administrator account (which defeats the purpose of this account) then that would not stop him from doing anything an administrator could do in that particular domain since he is a domain admin.

I would look into seeing if there is a way to restrict his account in SQL server (I don't know if this is possible since I don't know anything about sql).
0
 
mwnnjCommented:
Hi kenmartenz,
as a suggestion,you could take a look at this article too:
http://www.databasejournal.com/features/mssql/article.php/3341651
till later
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now