Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


2 Man IT Group with Security Questions

Posted on 2008-06-10
Medium Priority
Last Modified: 2013-12-04

I am the IT manager for a small company with a 2000 AD and about 40 PCs.  I have one guy that works with me who is basically help desk.  He is also my backup when I am away.  Our company has grown over time, but we still manage everything ok.  I do not consider myself an expert when ti comes to AD at all.  Right now we both log into all server using a Domain Admin account.  We both use the same complex password and I really don't see any other way around it.  I could limit him on some things but he is my backup when I am gone.  If I had a large IT department I would greatly consider doing this.  As it is now he sets up and removes  users in AD.  Am I going about this wrong to give him the same access as me?  He has worked here for 3 years, is a life long friend that I trust.


We have always managed user's password.  We have always changed them every 6 months and required them to be complex.  I am entertaining the idea of handing that over to the users and modifying the security policy on the DC to make them change passwords every 60 days and require complex passwords.  The issue is we can still log into their computers using the domain admin account and could get access to all their files etc and I don't think we should be able to do that.  We still need to install programs and update the computers.  Is there a way to do this and restrict out access from their files?  
Question by:jamessa
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Accepted Solution

worldinchaos earned 2000 total points
ID: 21752342
Not really.

The point of the administration account is that it is all powerful with complete access.  I work in a small IT dept supporting about 150 users, and we could, at any time, access any files on our servers.

I don't know of any way that you could create an account with 'admin' privileges necessary for installing software without inheriting privileges and permissions to access their files.  There is a way that they can go and create security restrictions on certain folders, but then, in the event of an emergency or crash, or accidental account deletion, or password forever lost and unresettable, ALL their files will be lost forever.

Author Comment

ID: 21752582
An outside firm is telling our owner that we as the IT department should not have user passwords to their desktops.  I am fine with this, but I told them that i can still access everything on their computer so the only thing it would change is the fact that the user would have to log me in if I make a change to their enviroment.  Plus if a user's desktop is locked I would have to reset their password or risk kicking them out of unsaved apps.  Now we log in as them, close everything out and go in as admin.

Expert Comment

ID: 21752621
Oh!  I didn't understand that you actually know each users password.  I think that is very bad for accountability and auditing sake.  It also means logfiles are of no use, since any IT member can impersonate any user.  You should have a domain admin account for yourself and your other IT admins (probably with different account names, but the same roles/permissions).
You should not have to know your users passwords.  If their computers are locked, have them unlock them or plan ahead.  You still cannot unlock a locked computer by resetting the AD password.  You need to know the prior password, and like you said, forcing a login at the locked screen will cause them to lose all unsaved data.  Just plan ahead, send an email, or post an announcement saying to leave their computer unlocked, or better yet, to logoff instead.  This way you will be able to login without interfering with their programs.
I still do not think that there is any way to be an admin without full file access, which is required, by definition, to install programs and such.

Author Comment

ID: 21752756
You are giving some good points!  Thanks!

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question