protecting administrator password - windows 8 and 7

Hi,
I have two pcs Windows 8.1pro and Win7 pro. I have two users on these pcs, first user named "admin", and second user named "John". They both have administrator rights, that way John can use the pc without restriction - "installing apps ect..". Is there a way I can protect user "admin" password from being able to be change by the other user ?  We had an incident where John left the company, and he knew enough to change both passwords. We were able to get back in using other password utility to unlock, but I am wondering if there is another way. Thanks in advance.
tinobeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andreasSystem AdminCommented:
Set up an AD domain, join the PCs to it and give the users only local Admin rights. This way , the domain admins always can log back in.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Users don't get admin rights. If this is on a domain, you can set your group policies to enforce a specific local admin account and password.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
andreas is correct - UNTIL the user figures out that all they have to do is remove the domain admins group from the local administrators group.  And frankly, even group policy that I suggest is thwartable if the user removes the machine from the domain.  Add bitlocker to the mix and if he encrypts the hard drive and disjoins from the domain, then you're REALLY out of luck.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

McKnifeCommented:
No, you cannot keep a local admin from changing the password of other local accounts. Of course he cannot change the pw of other domain accounts, so that would be a different thing. Are we talking about domain accounts here?

But: seeing it more critically: it seems you don't fully trust those two users (or at least one). If that is the case, don't make them admins. An admin can easily spy on passwords that are used by other users of the same machine in order to impersonate them and do whatever he likes.
0
tinobeAuthor Commented:
Thank you for the responds, These machines are not on a domain, it is just connected to a win2008 server for simple database access. It looks like the next setup - I will remove the other user "admin" right to the local machine. Thanks again.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
If you have a server, I have never really seen the point of not setting up a domain.  Would likely have made this easier on you.
0
andreasSystem AdminCommented:
Local user always wins over a remote admin, except files of the user to be protected are ancrypted in a way the local admin cannot spy. Key files and passwords are not suitable. The only way is to encrypt/decrypt via Key on external smartcard.
Local admins/users always can do damage to the system if they have the intention to do so, in worst case he connects the internal harddisk to a device he owns and modify/delete the contents bypassing all password protection on that machine.

To secure local machines.

Lock them up physically with case locks
prevent booting from user supplieable media/drives (DVD/CD, USB, SD,...) (on some mainboards its impossible)
remove admin rights from all local users.
encrypt critical local files for each user
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.