Solved

"Main" Administrator

Posted on 2013-01-04
13
261 Views
Last Modified: 2013-01-14
I have to provide a solution for this scenario:

Single workstation running Windows Vista HP. No domain. The owner wants to be the "Main" administrator of the computer. The idea is to have a Standard account and an Administrator account. Everyone who uses the computer will work under the Standard account. Only the Manager and the Owner have the password to the Administrator account. Now, the Owner wants another Administrator account where he only knows the password. I told him the problem is that any administrator can change or delete the password of another administrator. It is my guess that the main issue here would be preventing any other account from changing or deleting the password of a "Main" administrator account. The only use for having the Managers Administrator account is to perform some duties such as installing printers and programs.

I am looking for a solution to this problem. I prefer to handle this all through Windows although I am willing to look at third party software as a possible option.
0
Comment
Question by:rbudj
13 Comments
 
LVL 15

Expert Comment

by:jerseysam
ID: 38743773
You can set up accounts that have different names but still have Administrator or standard user profiles. So even though you have 3 "Administrator Privaledged" accounts, they all have different names and passwords.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38743794
But yes you are correct, ANY administrator can change ANY other administrators password.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38743795
As you point out, any adminstrator ID can change the password of every other account. But since only the Manager and Owner know the key passwords, that should be no problem. So set the Owner up with a new ID that is a member of the administrators group.

The bigger concern is that the Owner will go to dodgy places and hose the computer with viruses. Make this clear to the owner in diplomatic language. Make sure the computer has top grade, paid, commercial antivirus. Forget free A/V for this machine

.... Thinkpads_User
0
 
LVL 16

Author Comment

by:rbudj
ID: 38744126
Thanks for the replies.

There seems to be no budging the Owner from the requirement of having the top level administrator account. I can present to her that we can't do it exactly how she wants but I have to offer another solution. I wonder if I can use some Local Policy that will restrict changing passwords or to some other effect?

So really option 1 is:

Have only 1 Administrator account for Owner. Any time Manager or Employee needs to perform administrative task, Owner must enter password.

What other options can we come up with?
0
 
LVL 16

Author Comment

by:rbudj
ID: 38744189
I guess another option could be to use local policy to exclude user accounts from control panel, or remove control panel all together.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 38744210
As we have noted, an Administrator can change / negate anything, so if the Owner wishes to be a member of the administrators group, then that is what we need to do.

Beyond Trust offers a granular approach for specific elevated permissions, and works like group policy, but it has a lot of overhead for one computer.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition

... Thinkpads_User
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 16

Author Comment

by:rbudj
ID: 38744438
I had better stick with a Windows solution. The owner wants simplicity. More or less a set it and forget it method.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 38744458
I understand. But there is no native Windows solution that will prevent an administrator from doing what they wish.

So you need to explain these responsibilities to the Owner and to the Manager. That is about all that is left now.

.... Thinkpads_User
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38744669
Moving on from all the comments here, get a copy of Ghost (cheap) or equivalent imaging solution and a USB hard drive. Make an image of the system so you can quickly restore the computer to operation when disaster strikes. ... Thinkpads_User
0
 
LVL 16

Accepted Solution

by:
rbudj earned 0 total points
ID: 38744917
I may go the route of disabling access to the control panel. Even though any administrator could undo the policy, no one using the computer will quite know how. Nor will they know how to use the command prompt to change the password.

I agree about the imaging. The owner though wants to call me as a last resort. So basically she has had some disgruntled employees in the past and wants to have the upper hand from now on. I think I have enough ideas to present her options.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38744939
Educating people about proper use is almost as good. It does not take much to undo group policies (having used them myself for this purpose). However, it could serve you well here.


... Thinkpads_User
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38745118
@rbudj - Please let us know if we can help further, otherwise, you should probably close this question. ... Thinkpads_User
0
 
LVL 16

Author Closing Comment

by:rbudj
ID: 38773822
I am deciding to use local policy. Thanks for helping me brainstorm.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

The Service applet starts in Extended Mode by Default, with a taskpad on the left of the services pane. This view mode was introduced in XP. As I find it not very usefull, I like to use the Standard view as default, and without the Console tree. …
There are many reasons a PC runs slower than when it was new, ranging from malicious software intended to mess things up to simple general Windows use.  Your PC performance may slowly degrade over time without you noticing but when you buy a PC from…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now