We help IT Professionals succeed at work.

Restrict the Admins that can change the password of a particular user account

We have one "Master" Admin (default "Administrator" account) and some regular Admins in our company. We have classified information which is only accessible though particular user accounts. But as Admins generally have the permission to change the password they could access this data by changing the passwords. Is it possible to restrict the "normal" admins to not be able to change the password of particular accounts?
Comment
Watch Question

Top Expert 2013

Commented:
When you talk about "normal admins" are they in either the builtin administrators group on the DC or the domain admin group?

Thanks

Mike

Author

Commented:
They are not members of the built-in administrator group. They are members of the domain admin group.

cu,
Michael
ThinkPaperIT Consultant

Commented:
as long as those "standard" admins are NOT full "domain admins", then yes, i believe you can limit them to only change passwords for users allowed and not others. You would  have to play around with the security settings/memberships/group policies and set up proper permissions so that they can manage workstations/servers (i.e. do their jobs) etc..

i haven't done this, but for those specific users, you should be able to go in Active Directory, locate the user right click Properties and click the Security Tab and deny access for those "standard" group of Admins.

However, you'd have to make sure that they also don't have permissions to go in and redo the security settings itself, so they can grant themselves permissions.

This would require a good amount of testing to make sure the permissions are properly set.

Is this a large group of users you need to deny access to, or is it just a handful?
ThinkPaperIT Consultant

Commented:
the only way would be if you can take them out of Domain Admin, otherwise they'd have full perms to do anything and override any settings you do.

Author

Commented:
Would it be possible in the group restrictions to disallow the password access specifically to "a" user account? I don't want them to not be able to change passwords in general. Or would that rather be something that would the set through the ACL of "the" user account?

And yes, its only 4 accounts that require this special protection.

Author

Commented:
I can effectively lock the admins from accessing user data on the disk without them having any chance  to access the data - apart from the password changing "trick". I find it hard to believe that it is not possible to lock them from accessing specific AD entries.

the solution does not have to be limited to the password - inhibiting any change to the accounts would also do.
Top Expert 2013
Commented:
As long as they are domain admins you really can't restrict them, domain admins can do anything in an AD network.  

Cris HannaSr IT Support Engineer
Commented:
For a Small Business Server, with a max of 75 CALS, I'm curious as to why a need for mulitpile Admins
When you say Admins, I'm assuming they are members of the Domain Admin group?
The short answer is no.  Any role that has permission to change a password can change all passwords.
But there is not even any need to change passwords, just simply take ownership of any folder on the server and see whatever is in it.

Author

Commented:
Because sometimes people are on holiday or simply not there to do something "now". The Admins don't really have a lot to do...
Cris HannaSr IT Support Engineer

Commented:
I'm a full believer in having a backup..if the main admin gets hit by a bus.
Personally I would remove all these people from the domain admin group.  Create a second domain admin account (called Admin Backup).  The main admin puts the password on paper in a sealed envelope, and it's placed in the company safe.  It the backup is "activated"  then the envelope is pulled out, they do what they need to do, then when the Admin returns pword gets changed and placed back in the safe.  But there is no way to restrict a domain admin account
 

Author

Commented:
Still leaves the fact that we have admins that need a day to day access as admin but are not allowed access to restricted accounts.
Cris HannaSr IT Support Engineer

Commented:
" The Admins don't really have a lot to do... "  So you have one person who uses the Administrator Account?  The rest use other accounts, which are also members of the Domain Admin group, but by your own admission they don't have much to do?   Do they have other jobs in the company and system admin is a secondary function if the Administrator is gone?

Author

Commented:
The built-in "Administrator" password is known to only two people in the company, both board members and they have a lot of other things to do and therefore have to delegate the help-desk type of issue to the "lower" admins. The designated Admins are normal employees that have non admin tasks (for which they use normal non admin accounts) that keep them busy most of the time but they are familiar with servers.
Cris HannaSr IT Support Engineer

Commented:
well it should be crystal clear at this point that you have 2 options.  1) leave them as domain admins and have them sign confidentiality agreement, which have first been reviewed by the company lawyer or 2) remove them all as domain admins and have board members take on the work.
TolomirAdministrator
Top Expert 2005

Commented:
you could also use windows EFS for those accounts. When an Administrator changes the password access to the efs encrypted files is impossible.

This should keep them off. Another option is to use to use the free truecrypt disk encryption. All affected users could know the password for the volume. Downside: while a truecrypt volume is mounted it is accessible by any valid user.

I can think of a pgp solution though. http://www.pgp.com/products/netshare/ This allows transparent access to restricted data. With a 2 factor authentification the sneaky admins are on a lost track.

Tolomir
Awarded 2009
Top Expert 2010

Commented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.