"Main" Administrator

I have to provide a solution for this scenario:

Single workstation running Windows Vista HP. No domain. The owner wants to be the "Main" administrator of the computer. The idea is to have a Standard account and an Administrator account. Everyone who uses the computer will work under the Standard account. Only the Manager and the Owner have the password to the Administrator account. Now, the Owner wants another Administrator account where he only knows the password. I told him the problem is that any administrator can change or delete the password of another administrator. It is my guess that the main issue here would be preventing any other account from changing or deleting the password of a "Main" administrator account. The only use for having the Managers Administrator account is to perform some duties such as installing printers and programs.

I am looking for a solution to this problem. I prefer to handle this all through Windows although I am willing to look at third party software as a possible option.
LVL 16
rbudjAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jerseysamCommented:
You can set up accounts that have different names but still have Administrator or standard user profiles. So even though you have 3 "Administrator Privaledged" accounts, they all have different names and passwords.
0
Neil RussellTechnical Development LeadCommented:
But yes you are correct, ANY administrator can change ANY other administrators password.
0
JohnBusiness Consultant (Owner)Commented:
As you point out, any adminstrator ID can change the password of every other account. But since only the Manager and Owner know the key passwords, that should be no problem. So set the Owner up with a new ID that is a member of the administrators group.

The bigger concern is that the Owner will go to dodgy places and hose the computer with viruses. Make this clear to the owner in diplomatic language. Make sure the computer has top grade, paid, commercial antivirus. Forget free A/V for this machine

.... Thinkpads_User
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

rbudjAuthor Commented:
Thanks for the replies.

There seems to be no budging the Owner from the requirement of having the top level administrator account. I can present to her that we can't do it exactly how she wants but I have to offer another solution. I wonder if I can use some Local Policy that will restrict changing passwords or to some other effect?

So really option 1 is:

Have only 1 Administrator account for Owner. Any time Manager or Employee needs to perform administrative task, Owner must enter password.

What other options can we come up with?
0
rbudjAuthor Commented:
I guess another option could be to use local policy to exclude user accounts from control panel, or remove control panel all together.
0
JohnBusiness Consultant (Owner)Commented:
As we have noted, an Administrator can change / negate anything, so if the Owner wishes to be a member of the administrators group, then that is what we need to do.

Beyond Trust offers a granular approach for specific elevated permissions, and works like group policy, but it has a lot of overhead for one computer.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition

... Thinkpads_User
0
rbudjAuthor Commented:
I had better stick with a Windows solution. The owner wants simplicity. More or less a set it and forget it method.
0
JohnBusiness Consultant (Owner)Commented:
I understand. But there is no native Windows solution that will prevent an administrator from doing what they wish.

So you need to explain these responsibilities to the Owner and to the Manager. That is about all that is left now.

.... Thinkpads_User
0
JohnBusiness Consultant (Owner)Commented:
Moving on from all the comments here, get a copy of Ghost (cheap) or equivalent imaging solution and a USB hard drive. Make an image of the system so you can quickly restore the computer to operation when disaster strikes. ... Thinkpads_User
0
rbudjAuthor Commented:
I may go the route of disabling access to the control panel. Even though any administrator could undo the policy, no one using the computer will quite know how. Nor will they know how to use the command prompt to change the password.

I agree about the imaging. The owner though wants to call me as a last resort. So basically she has had some disgruntled employees in the past and wants to have the upper hand from now on. I think I have enough ideas to present her options.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
Educating people about proper use is almost as good. It does not take much to undo group policies (having used them myself for this purpose). However, it could serve you well here.


... Thinkpads_User
0
JohnBusiness Consultant (Owner)Commented:
@rbudj - Please let us know if we can help further, otherwise, you should probably close this question. ... Thinkpads_User
0
rbudjAuthor Commented:
I am deciding to use local policy. Thanks for helping me brainstorm.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Vista

From novice to tech pro — start learning today.