Solved

"Main" Administrator

Posted on 2013-01-04
13
263 Views
Last Modified: 2013-01-14
I have to provide a solution for this scenario:

Single workstation running Windows Vista HP. No domain. The owner wants to be the "Main" administrator of the computer. The idea is to have a Standard account and an Administrator account. Everyone who uses the computer will work under the Standard account. Only the Manager and the Owner have the password to the Administrator account. Now, the Owner wants another Administrator account where he only knows the password. I told him the problem is that any administrator can change or delete the password of another administrator. It is my guess that the main issue here would be preventing any other account from changing or deleting the password of a "Main" administrator account. The only use for having the Managers Administrator account is to perform some duties such as installing printers and programs.

I am looking for a solution to this problem. I prefer to handle this all through Windows although I am willing to look at third party software as a possible option.
0
Comment
Question by:rbudj
13 Comments
 
LVL 15

Expert Comment

by:jerseysam
ID: 38743773
You can set up accounts that have different names but still have Administrator or standard user profiles. So even though you have 3 "Administrator Privaledged" accounts, they all have different names and passwords.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38743794
But yes you are correct, ANY administrator can change ANY other administrators password.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 38743795
As you point out, any adminstrator ID can change the password of every other account. But since only the Manager and Owner know the key passwords, that should be no problem. So set the Owner up with a new ID that is a member of the administrators group.

The bigger concern is that the Owner will go to dodgy places and hose the computer with viruses. Make this clear to the owner in diplomatic language. Make sure the computer has top grade, paid, commercial antivirus. Forget free A/V for this machine

.... Thinkpads_User
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 16

Author Comment

by:rbudj
ID: 38744126
Thanks for the replies.

There seems to be no budging the Owner from the requirement of having the top level administrator account. I can present to her that we can't do it exactly how she wants but I have to offer another solution. I wonder if I can use some Local Policy that will restrict changing passwords or to some other effect?

So really option 1 is:

Have only 1 Administrator account for Owner. Any time Manager or Employee needs to perform administrative task, Owner must enter password.

What other options can we come up with?
0
 
LVL 16

Author Comment

by:rbudj
ID: 38744189
I guess another option could be to use local policy to exclude user accounts from control panel, or remove control panel all together.
0
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 38744210
As we have noted, an Administrator can change / negate anything, so if the Owner wishes to be a member of the administrators group, then that is what we need to do.

Beyond Trust offers a granular approach for specific elevated permissions, and works like group policy, but it has a lot of overhead for one computer.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition

... Thinkpads_User
0
 
LVL 16

Author Comment

by:rbudj
ID: 38744438
I had better stick with a Windows solution. The owner wants simplicity. More or less a set it and forget it method.
0
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 38744458
I understand. But there is no native Windows solution that will prevent an administrator from doing what they wish.

So you need to explain these responsibilities to the Owner and to the Manager. That is about all that is left now.

.... Thinkpads_User
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 38744669
Moving on from all the comments here, get a copy of Ghost (cheap) or equivalent imaging solution and a USB hard drive. Make an image of the system so you can quickly restore the computer to operation when disaster strikes. ... Thinkpads_User
0
 
LVL 16

Accepted Solution

by:
rbudj earned 0 total points
ID: 38744917
I may go the route of disabling access to the control panel. Even though any administrator could undo the policy, no one using the computer will quite know how. Nor will they know how to use the command prompt to change the password.

I agree about the imaging. The owner though wants to call me as a last resort. So basically she has had some disgruntled employees in the past and wants to have the upper hand from now on. I think I have enough ideas to present her options.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 38744939
Educating people about proper use is almost as good. It does not take much to undo group policies (having used them myself for this purpose). However, it could serve you well here.


... Thinkpads_User
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 38745118
@rbudj - Please let us know if we can help further, otherwise, you should probably close this question. ... Thinkpads_User
0
 
LVL 16

Author Closing Comment

by:rbudj
ID: 38773822
I am deciding to use local policy. Thanks for helping me brainstorm.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main issue when installing Vista and XP in dual boot is when you have to reinstall any of the two when something fails, let's say a hard disk failure, a lost partition, virus, etc. What commonly happens is that you lose all your hard work config…
The Service applet starts in Extended Mode by Default, with a taskpad on the left of the services pane. This view mode was introduced in XP. As I find it not very usefull, I like to use the Standard view as default, and without the Console tree. …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question