Restrict Domain Admins From Changing Built-In Administrator Account Password
Posted on 2014-01-02
Our company does IT Outsourcing, as such we have many different businesses, users, and servers to look after on a day-to-day basis. The problem that I am currently faced with is that as we grow we are requiring more techs to handle the workload, which is good but requires me to rethink our security policies, in that, if someone has to be let go, or quits, then instead of having a few passwords to change like in your typical in house IT department, we have many passwords to change, across, many servers, many clients, and many devices. I've already worked out how to take care of most of the issues, such as network scanners that have the admin password for authentication to shares, but the main one I'm faced with right now is how do I make it so that my techs have the access they need to do work on the servers and preform installations and other things on local workstations, but cannot change the built-in administrator password. This way if one of them is let go or quits, all I have to do is go through each server and change the tech admin account password since that's the only admin password they'll be privy to. Any help is greatly appreciated, thanks.