Sign in with
Sign up | Sign in
Your question

Administrator account / Domian Addmin rights

Last response: in Windows 2000/NT
Share
December 10, 2004 8:15:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I want to set a password for my domain admin, but I don't anyone but the
admin account to be able to change it. So my question is how do I revoke the
rights to change the admin password from all my accounts, including my domain
admins? Or would it be better to just disable the admin account?

Marty
Anonymous
a b 8 Security
December 10, 2004 9:59:12 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I believe the answer is that you do not / cannot not do that.
The old story is "if you cannot trust their actions do not make
them admins"

Your exact question is a little fuzzy. To ask about settings a
pwd for a domain admin. But then you speak of admin account
almost as if it is not a domain admin account.
If you are speaking of a machine local account, that is in the
local administrators group, then it is possible to remove the
domain admins group from the machine local administrators
group - in which case only local admins can change the password
of a local account. Of course, policies and agreements under
which the machine is allowed to join the domain may prevent
you from doing this.
If you speak of a domain account, then any domain admin can
reset the password and can any account in the domain's
Administrators group (whether it is in the Domain Admins or
not).

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Marty" <Marty@discussions.microsoft.com> wrote in message
news:44D7C780-0C00-4E21-8BD0-9ADDAA3BD68D@microsoft.com...
> I want to set a password for my domain admin, but I don't anyone but the
> admin account to be able to change it. So my question is how do I revoke
the
> rights to change the admin password from all my accounts, including my
domain
> admins? Or would it be better to just disable the admin account?
>
> Marty
December 10, 2004 10:05:32 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Roger;

Thanks for your answer. My question was to do with the Domain Administrator
account and the Domain Admin group. It's not that I don't trust my Domain
Admins, it's a issue of forcing accountability. I'me in an organization that
has been doing things a certain way for awhile now and that is that when
someone logs into a server, they useally use that domain administrator
account and password, not there own log information and I want them to use
there own accounts so that we have tracking of what and who does what. My
hope was to force them to this buy changing the domain administrator paswword
and not tellng them, but it accured to me that they could just go in and
change the passwrod if they wanted to. Now granted, I would have a record
that they would change it and could question then about it, but I was hoping
to not have to bother with that.

Also, we are creatating a child domain for a new company that we just
bought, and I wanted to set the domain adminisrtator account for that and not
give them the password and put a couple of guys out there in the domain admin
group and agian, not let them have the ability to change the domain
administrator password.

It was just a thought.

Marty

"Roger Abell" wrote:

> I believe the answer is that you do not / cannot not do that.
> The old story is "if you cannot trust their actions do not make
> them admins"
>
> Your exact question is a little fuzzy. To ask about settings a
> pwd for a domain admin. But then you speak of admin account
> almost as if it is not a domain admin account.
> If you are speaking of a machine local account, that is in the
> local administrators group, then it is possible to remove the
> domain admins group from the machine local administrators
> group - in which case only local admins can change the password
> of a local account. Of course, policies and agreements under
> which the machine is allowed to join the domain may prevent
> you from doing this.
> If you speak of a domain account, then any domain admin can
> reset the password and can any account in the domain's
> Administrators group (whether it is in the Domain Admins or
> not).
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Marty" <Marty@discussions.microsoft.com> wrote in message
> news:44D7C780-0C00-4E21-8BD0-9ADDAA3BD68D@microsoft.com...
> > I want to set a password for my domain admin, but I don't anyone but the
> > admin account to be able to change it. So my question is how do I revoke
> the
> > rights to change the admin password from all my accounts, including my
> domain
> > admins? Or would it be better to just disable the admin account?
> >
> > Marty
>
>
>
Anonymous
a b 8 Security
December 11, 2004 12:33:31 PM

Archived from groups: microsoft.public.win2000.security (More info?)

There is (almost) no difference between one Domain Admins member
and another, except that they are different accounts. The domain account
named Administrator (initially) has a couple differences.
In my opinion, if it is accountability you are after, you should not be
sharing an empowered account between people, except under very
restrictive policies. Rather, give each (of the hopefully very few)
an individual account, and a set of guidelines for acceptible use.
Only used one x, y, z machines - no log on elsewhere; only used when
that priv is necessary, not used otherwise. etc.

The best thing however is to not provide Domain Admins membership,
but to look at what these people each do, and delegate to them. There
really is only a small amount of things that must be done with a Domain
Admin account, or even with an account that is member in the domain's
Administrators group (which is quite different from Domain Admins an
has a much more restricted scope of privs).

If you must share and account, make it so it can only log in at specific
consoles, and the process for gaining physical access to those will
help document who what there when.

Finally - every administrator should know that changing the password
of any other account _is_not_to_be_done_ , even for just a plain user,
except as a last resort. Resetting the password of an account breaks its
EFS usage in post-W2k. For the built-in Adminsitrator account, or
whichever has been set as the default DRA, this can be tragic.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Marty" <Marty@discussions.microsoft.com> wrote in message
news:79E545FC-670B-480D-9797-14AD522A7A3D@microsoft.com...
> Roger;
>
> Thanks for your answer. My question was to do with the Domain
Administrator
> account and the Domain Admin group. It's not that I don't trust my Domain
> Admins, it's a issue of forcing accountability. I'me in an organization
that
> has been doing things a certain way for awhile now and that is that when
> someone logs into a server, they useally use that domain administrator
> account and password, not there own log information and I want them to use
> there own accounts so that we have tracking of what and who does what. My
> hope was to force them to this buy changing the domain administrator
paswword
> and not tellng them, but it accured to me that they could just go in and
> change the passwrod if they wanted to. Now granted, I would have a record
> that they would change it and could question then about it, but I was
hoping
> to not have to bother with that.
>
> Also, we are creatating a child domain for a new company that we just
> bought, and I wanted to set the domain adminisrtator account for that and
not
> give them the password and put a couple of guys out there in the domain
admin
> group and agian, not let them have the ability to change the domain
> administrator password.
>
> It was just a thought.
>
> Marty
>
> "Roger Abell" wrote:
>
> > I believe the answer is that you do not / cannot not do that.
> > The old story is "if you cannot trust their actions do not make
> > them admins"
> >
> > Your exact question is a little fuzzy. To ask about settings a
> > pwd for a domain admin. But then you speak of admin account
> > almost as if it is not a domain admin account.
> > If you are speaking of a machine local account, that is in the
> > local administrators group, then it is possible to remove the
> > domain admins group from the machine local administrators
> > group - in which case only local admins can change the password
> > of a local account. Of course, policies and agreements under
> > which the machine is allowed to join the domain may prevent
> > you from doing this.
> > If you speak of a domain account, then any domain admin can
> > reset the password and can any account in the domain's
> > Administrators group (whether it is in the Domain Admins or
> > not).
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Marty" <Marty@discussions.microsoft.com> wrote in message
> > news:44D7C780-0C00-4E21-8BD0-9ADDAA3BD68D@microsoft.com...
> > > I want to set a password for my domain admin, but I don't anyone but
the
> > > admin account to be able to change it. So my question is how do I
revoke
> > the
> > > rights to change the admin password from all my accounts, including my
> > domain
> > > admins? Or would it be better to just disable the admin account?
> > >
> > > Marty
> >
> >
> >
Related resources
!