Admin members and passwords

Archived from groups: microsoft.public.win2000.security (More info?)

Is it possible to prevent other members of domain admins
from changing your own user account password.

I'm a domain admin user but need to be able to restrict
other domian admin users from accessing my account. is
there an option in account options..?

Can you hide a user account....I don't think so but
thought I'd ask anyway.

any ideas would be appreciated.
3 answers Last reply
More about admin members passwords
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Ultimately you can not do that. You can however enable auditing of account management
    on Domain Controller Security Policy and password resets will show up in the security
    log unless the log was erased which would in itself leave an event. Otherwise you can
    try this. Go to your user account in AD Users and Computers and in your account
    properties/security either add yourself as full control and remove all other
    administrators groups or to be more subtle, just scroll down the list of permissions
    and apply "deny" for reset password to the administrators group. Now this will also
    prevent your from resetting your password, though you can still change it via normal
    ways or remove the deny permission if you do need to reset it. The face that the
    reset permission is no immediately available until you scroll down the list may leave
    some of them scratching their heads assuming they know where to look in the first
    place. --- Steve


    "Liam" <anonymous@discussions.microsoft.com> wrote in message
    news:2136601c45af5$7dfbae30$a601280a@phx.gbl...
    >
    > Is it possible to prevent other members of domain admins
    > from changing your own user account password.
    >
    > I'm a domain admin user but need to be able to restrict
    > other domian admin users from accessing my account. is
    > there an option in account options..?
    >
    > Can you hide a user account....I don't think so but
    > thought I'd ask anyway.
    >
    > any ideas would be appreciated.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    AdminSDHolder functionality will prevent this from working. He will set it and
    within an hour sdprop will come along and "fix" it.

    The answer to this is no. If you can't trust your admins, they shouldn't be admins.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Steven L Umbach wrote:
    > Ultimately you can not do that. You can however enable auditing of account management
    > on Domain Controller Security Policy and password resets will show up in the security
    > log unless the log was erased which would in itself leave an event. Otherwise you can
    > try this. Go to your user account in AD Users and Computers and in your account
    > properties/security either add yourself as full control and remove all other
    > administrators groups or to be more subtle, just scroll down the list of permissions
    > and apply "deny" for reset password to the administrators group. Now this will also
    > prevent your from resetting your password, though you can still change it via normal
    > ways or remove the deny permission if you do need to reset it. The face that the
    > reset permission is no immediately available until you scroll down the list may leave
    > some of them scratching their heads assuming they know where to look in the first
    > place. --- Steve
    >
    >
    > "Liam" <anonymous@discussions.microsoft.com> wrote in message
    > news:2136601c45af5$7dfbae30$a601280a@phx.gbl...
    >
    >>Is it possible to prevent other members of domain admins
    >>from changing your own user account password.
    >>
    >>I'm a domain admin user but need to be able to restrict
    >>other domian admin users from accessing my account. is
    >>there an option in account options..?
    >>
    >>Can you hide a user account....I don't think so but
    >>thought I'd ask anyway.
    >>
    >>any ideas would be appreciated.
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks Joe. I was not aware of that. --- Steve


    "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    news:OYdmTbHXEHA.4020@TK2MSFTNGP09.phx.gbl...
    > AdminSDHolder functionality will prevent this from working. He will set it and
    > within an hour sdprop will come along and "fix" it.
    >
    > The answer to this is no. If you can't trust your admins, they shouldn't be admins.
    >
    > --
    > Joe Richards Microsoft MVP Windows Server Directory Services
    > www.joeware.net
    >
    >
    >
    > Steven L Umbach wrote:
    > > Ultimately you can not do that. You can however enable auditing of account
    management
    > > on Domain Controller Security Policy and password resets will show up in the
    security
    > > log unless the log was erased which would in itself leave an event. Otherwise you
    can
    > > try this. Go to your user account in AD Users and Computers and in your account
    > > properties/security either add yourself as full control and remove all other
    > > administrators groups or to be more subtle, just scroll down the list of
    permissions
    > > and apply "deny" for reset password to the administrators group. Now this will
    also
    > > prevent your from resetting your password, though you can still change it via
    normal
    > > ways or remove the deny permission if you do need to reset it. The face that the
    > > reset permission is no immediately available until you scroll down the list may
    leave
    > > some of them scratching their heads assuming they know where to look in the first
    > > place. --- Steve
    > >
    > >
    > > "Liam" <anonymous@discussions.microsoft.com> wrote in message
    > > news:2136601c45af5$7dfbae30$a601280a@phx.gbl...
    > >
    > >>Is it possible to prevent other members of domain admins
    > >>from changing your own user account password.
    > >>
    > >>I'm a domain admin user but need to be able to restrict
    > >>other domian admin users from accessing my account. is
    > >>there an option in account options..?
    > >>
    > >>Can you hide a user account....I don't think so but
    > >>thought I'd ask anyway.
    > >>
    > >>any ideas would be appreciated.
    > >
    > >
    > >
Ask a new question

Read More

Security Domain Microsoft Windows