Administrator account / Domian Addmin rights

Archived from groups: microsoft.public.win2000.security (More info?)

I want to set a password for my domain admin, but I don't anyone but the
admin account to be able to change it. So my question is how do I revoke the
rights to change the admin password from all my accounts, including my domain
admins? Or would it be better to just disable the admin account?

Marty
3 answers Last reply
More about administrator account domian addmin rights
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    I believe the answer is that you do not / cannot not do that.
    The old story is "if you cannot trust their actions do not make
    them admins"

    Your exact question is a little fuzzy. To ask about settings a
    pwd for a domain admin. But then you speak of admin account
    almost as if it is not a domain admin account.
    If you are speaking of a machine local account, that is in the
    local administrators group, then it is possible to remove the
    domain admins group from the machine local administrators
    group - in which case only local admins can change the password
    of a local account. Of course, policies and agreements under
    which the machine is allowed to join the domain may prevent
    you from doing this.
    If you speak of a domain account, then any domain admin can
    reset the password and can any account in the domain's
    Administrators group (whether it is in the Domain Admins or
    not).

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Marty" <Marty@discussions.microsoft.com> wrote in message
    news:44D7C780-0C00-4E21-8BD0-9ADDAA3BD68D@microsoft.com...
    > I want to set a password for my domain admin, but I don't anyone but the
    > admin account to be able to change it. So my question is how do I revoke
    the
    > rights to change the admin password from all my accounts, including my
    domain
    > admins? Or would it be better to just disable the admin account?
    >
    > Marty
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Roger;

    Thanks for your answer. My question was to do with the Domain Administrator
    account and the Domain Admin group. It's not that I don't trust my Domain
    Admins, it's a issue of forcing accountability. I'me in an organization that
    has been doing things a certain way for awhile now and that is that when
    someone logs into a server, they useally use that domain administrator
    account and password, not there own log information and I want them to use
    there own accounts so that we have tracking of what and who does what. My
    hope was to force them to this buy changing the domain administrator paswword
    and not tellng them, but it accured to me that they could just go in and
    change the passwrod if they wanted to. Now granted, I would have a record
    that they would change it and could question then about it, but I was hoping
    to not have to bother with that.

    Also, we are creatating a child domain for a new company that we just
    bought, and I wanted to set the domain adminisrtator account for that and not
    give them the password and put a couple of guys out there in the domain admin
    group and agian, not let them have the ability to change the domain
    administrator password.

    It was just a thought.

    Marty

    "Roger Abell" wrote:

    > I believe the answer is that you do not / cannot not do that.
    > The old story is "if you cannot trust their actions do not make
    > them admins"
    >
    > Your exact question is a little fuzzy. To ask about settings a
    > pwd for a domain admin. But then you speak of admin account
    > almost as if it is not a domain admin account.
    > If you are speaking of a machine local account, that is in the
    > local administrators group, then it is possible to remove the
    > domain admins group from the machine local administrators
    > group - in which case only local admins can change the password
    > of a local account. Of course, policies and agreements under
    > which the machine is allowed to join the domain may prevent
    > you from doing this.
    > If you speak of a domain account, then any domain admin can
    > reset the password and can any account in the domain's
    > Administrators group (whether it is in the Domain Admins or
    > not).
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Marty" <Marty@discussions.microsoft.com> wrote in message
    > news:44D7C780-0C00-4E21-8BD0-9ADDAA3BD68D@microsoft.com...
    > > I want to set a password for my domain admin, but I don't anyone but the
    > > admin account to be able to change it. So my question is how do I revoke
    > the
    > > rights to change the admin password from all my accounts, including my
    > domain
    > > admins? Or would it be better to just disable the admin account?
    > >
    > > Marty
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    There is (almost) no difference between one Domain Admins member
    and another, except that they are different accounts. The domain account
    named Administrator (initially) has a couple differences.
    In my opinion, if it is accountability you are after, you should not be
    sharing an empowered account between people, except under very
    restrictive policies. Rather, give each (of the hopefully very few)
    an individual account, and a set of guidelines for acceptible use.
    Only used one x, y, z machines - no log on elsewhere; only used when
    that priv is necessary, not used otherwise. etc.

    The best thing however is to not provide Domain Admins membership,
    but to look at what these people each do, and delegate to them. There
    really is only a small amount of things that must be done with a Domain
    Admin account, or even with an account that is member in the domain's
    Administrators group (which is quite different from Domain Admins an
    has a much more restricted scope of privs).

    If you must share and account, make it so it can only log in at specific
    consoles, and the process for gaining physical access to those will
    help document who what there when.

    Finally - every administrator should know that changing the password
    of any other account _is_not_to_be_done_ , even for just a plain user,
    except as a last resort. Resetting the password of an account breaks its
    EFS usage in post-W2k. For the built-in Adminsitrator account, or
    whichever has been set as the default DRA, this can be tragic.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Marty" <Marty@discussions.microsoft.com> wrote in message
    news:79E545FC-670B-480D-9797-14AD522A7A3D@microsoft.com...
    > Roger;
    >
    > Thanks for your answer. My question was to do with the Domain
    Administrator
    > account and the Domain Admin group. It's not that I don't trust my Domain
    > Admins, it's a issue of forcing accountability. I'me in an organization
    that
    > has been doing things a certain way for awhile now and that is that when
    > someone logs into a server, they useally use that domain administrator
    > account and password, not there own log information and I want them to use
    > there own accounts so that we have tracking of what and who does what. My
    > hope was to force them to this buy changing the domain administrator
    paswword
    > and not tellng them, but it accured to me that they could just go in and
    > change the passwrod if they wanted to. Now granted, I would have a record
    > that they would change it and could question then about it, but I was
    hoping
    > to not have to bother with that.
    >
    > Also, we are creatating a child domain for a new company that we just
    > bought, and I wanted to set the domain adminisrtator account for that and
    not
    > give them the password and put a couple of guys out there in the domain
    admin
    > group and agian, not let them have the ability to change the domain
    > administrator password.
    >
    > It was just a thought.
    >
    > Marty
    >
    > "Roger Abell" wrote:
    >
    > > I believe the answer is that you do not / cannot not do that.
    > > The old story is "if you cannot trust their actions do not make
    > > them admins"
    > >
    > > Your exact question is a little fuzzy. To ask about settings a
    > > pwd for a domain admin. But then you speak of admin account
    > > almost as if it is not a domain admin account.
    > > If you are speaking of a machine local account, that is in the
    > > local administrators group, then it is possible to remove the
    > > domain admins group from the machine local administrators
    > > group - in which case only local admins can change the password
    > > of a local account. Of course, policies and agreements under
    > > which the machine is allowed to join the domain may prevent
    > > you from doing this.
    > > If you speak of a domain account, then any domain admin can
    > > reset the password and can any account in the domain's
    > > Administrators group (whether it is in the Domain Admins or
    > > not).
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Security)
    > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > "Marty" <Marty@discussions.microsoft.com> wrote in message
    > > news:44D7C780-0C00-4E21-8BD0-9ADDAA3BD68D@microsoft.com...
    > > > I want to set a password for my domain admin, but I don't anyone but
    the
    > > > admin account to be able to change it. So my question is how do I
    revoke
    > > the
    > > > rights to change the admin password from all my accounts, including my
    > > domain
    > > > admins? Or would it be better to just disable the admin account?
    > > >
    > > > Marty
    > >
    > >
    > >
Ask a new question

Read More

Security Domain Microsoft Windows