Solved

"Main" Administrator

Posted on 2013-01-04
13
267 Views
Last Modified: 2013-01-14
I have to provide a solution for this scenario:

Single workstation running Windows Vista HP. No domain. The owner wants to be the "Main" administrator of the computer. The idea is to have a Standard account and an Administrator account. Everyone who uses the computer will work under the Standard account. Only the Manager and the Owner have the password to the Administrator account. Now, the Owner wants another Administrator account where he only knows the password. I told him the problem is that any administrator can change or delete the password of another administrator. It is my guess that the main issue here would be preventing any other account from changing or deleting the password of a "Main" administrator account. The only use for having the Managers Administrator account is to perform some duties such as installing printers and programs.

I am looking for a solution to this problem. I prefer to handle this all through Windows although I am willing to look at third party software as a possible option.
0
Comment
Question by:rbudj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 15

Expert Comment

by:jerseysam
ID: 38743773
You can set up accounts that have different names but still have Administrator or standard user profiles. So even though you have 3 "Administrator Privaledged" accounts, they all have different names and passwords.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38743794
But yes you are correct, ANY administrator can change ANY other administrators password.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 38743795
As you point out, any adminstrator ID can change the password of every other account. But since only the Manager and Owner know the key passwords, that should be no problem. So set the Owner up with a new ID that is a member of the administrators group.

The bigger concern is that the Owner will go to dodgy places and hose the computer with viruses. Make this clear to the owner in diplomatic language. Make sure the computer has top grade, paid, commercial antivirus. Forget free A/V for this machine

.... Thinkpads_User
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 16

Author Comment

by:rbudj
ID: 38744126
Thanks for the replies.

There seems to be no budging the Owner from the requirement of having the top level administrator account. I can present to her that we can't do it exactly how she wants but I have to offer another solution. I wonder if I can use some Local Policy that will restrict changing passwords or to some other effect?

So really option 1 is:

Have only 1 Administrator account for Owner. Any time Manager or Employee needs to perform administrative task, Owner must enter password.

What other options can we come up with?
0
 
LVL 16

Author Comment

by:rbudj
ID: 38744189
I guess another option could be to use local policy to exclude user accounts from control panel, or remove control panel all together.
0
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 38744210
As we have noted, an Administrator can change / negate anything, so if the Owner wishes to be a member of the administrators group, then that is what we need to do.

Beyond Trust offers a granular approach for specific elevated permissions, and works like group policy, but it has a lot of overhead for one computer.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition

... Thinkpads_User
0
 
LVL 16

Author Comment

by:rbudj
ID: 38744438
I had better stick with a Windows solution. The owner wants simplicity. More or less a set it and forget it method.
0
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 38744458
I understand. But there is no native Windows solution that will prevent an administrator from doing what they wish.

So you need to explain these responsibilities to the Owner and to the Manager. That is about all that is left now.

.... Thinkpads_User
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 38744669
Moving on from all the comments here, get a copy of Ghost (cheap) or equivalent imaging solution and a USB hard drive. Make an image of the system so you can quickly restore the computer to operation when disaster strikes. ... Thinkpads_User
0
 
LVL 16

Accepted Solution

by:
rbudj earned 0 total points
ID: 38744917
I may go the route of disabling access to the control panel. Even though any administrator could undo the policy, no one using the computer will quite know how. Nor will they know how to use the command prompt to change the password.

I agree about the imaging. The owner though wants to call me as a last resort. So basically she has had some disgruntled employees in the past and wants to have the upper hand from now on. I think I have enough ideas to present her options.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 38744939
Educating people about proper use is almost as good. It does not take much to undo group policies (having used them myself for this purpose). However, it could serve you well here.


... Thinkpads_User
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 38745118
@rbudj - Please let us know if we can help further, otherwise, you should probably close this question. ... Thinkpads_User
0
 
LVL 16

Author Closing Comment

by:rbudj
ID: 38773822
I am deciding to use local policy. Thanks for helping me brainstorm.
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many reasons a PC runs slower than when it was new, ranging from malicious software intended to mess things up to simple general Windows use.  Your PC performance may slowly degrade over time without you noticing but when you buy a PC from…
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question