Solved

Restrict Domain Admins From Changing Built-In Administrator Account Password

Posted on 2014-01-02
7
1,128 Views
Last Modified: 2014-03-03
Hello Everyone,

Our company does IT Outsourcing, as such we have many different businesses, users, and servers to look after on a day-to-day basis.  The problem that I am currently faced with is that as we grow we are requiring more techs to handle the workload, which is good but requires me to rethink our security policies, in that, if someone has to be let go, or quits, then instead of having a few passwords to change like in your typical in house IT department, we have many passwords to change, across, many servers, many clients, and many devices.  I've already worked out how to take care of most of the issues, such as network scanners that have the admin password for authentication to shares, but the main one I'm faced with right now is how do I make it so that my techs have the access they need to do work on the servers and preform installations and other things on local workstations, but cannot change the built-in administrator password.  This way if one of them is let go or quits, all I have to do is go through each server and change the tech admin account password since that's the only admin password they'll be privy to.  Any help is greatly appreciated, thanks.
0
Comment
Question by:ctagle
  • 4
  • 3
7 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39751446
What I would recommend is creating/using "service accounts" with long complex passwords for specific devices like scanners, services for specific applicaitons etc. This way you do not have to go around and reset those passwords.

As for Local Admin accounts you can use Group Policy Perferences to accomplish this and reset local admin accounts.

You can find the details at the following link.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b1e94909-bb0b-4e10-83a0-cd7812dfe073/change-local-administrator-password-thru-gpo?forum=winserverGP

Will.
0
 

Author Comment

by:ctagle
ID: 39752469
Thank you for the reply.  That should work nicely for simplifying the process of changing the passwords, but I didn't see anything about restricting domain admin accounts from being able to change the password on the built-in admin account or on an account I specify.  I can restrict the gpo I think and not tell them the password for the built-in admin account, but then they can just go into AD and change the password right?  Or am I missing something?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39752527
If the users need to be domain admins then you cannot stop them from changing the password. If they do not require domain admin rights then you can use delegation of control and restrict what your users can do. You can always audit password changes from the security logs on the domain controllers.

You might also be able to use the deny permission on the account for password reset (I would try this in a test environment first).

Will.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:ctagle
ID: 39752589
ah ok, is there a way  that I can give them access to the admin functions, such as AD, exchange, backups, share management, ability to install programs and updates on workstations (authenticating through UAC or logging on as the domain user they are assigned), etc... without making them a domain admin?  If so then I think I could possibly figure something out, I haven't had much success in the past though with domain accounts having admin priveleges on workstations unless they are domain admins.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 39752631
You can use role based access control for Exchange and you can use delegation of control to set specific admin requirements. Below is a link which outlines some of the main functions you can delegate with delegation of control wizard.

http://technet.microsoft.com/en-us/library/dd145442.aspx

Will.
0
 

Author Comment

by:ctagle
ID: 39794547
Thanks for the replies, I'll be trying the delegation of control wizards once my mock up server comes in.  Should hopefully be this week, i'll let you know how it turns out.
0
 

Author Closing Comment

by:ctagle
ID: 39900912
Didn't really have much a chance to try this stuff out, and there's no sense in leaving a question open, I will look into this more in depth now that I have a vsphere host in place that I can setup mock up vms on.  Thank you for the information.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now