Urgent - Stop shutdown command from shuting down domain st..

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

In our organization in adition to me one of the managers has the admin
password to 2000 active directory domain.

He has recently learned to restart the stations using "shutdown -i" (he
uses the administrator account and he himself told me that he makes fun
by shutting down some people's computers)

Is there any domain policy that can disable this feature and stop the
administrator from shutting down stations?

This is going to cost my job.

Regards,
Mac
5 answers Last reply
More about urgent stop shutdown command shuting domain
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Which aspect of this problem is going to cost you your job --

    * that a non-admin person knows the admin password
    * that this person gleefully causes denial of service attacks
    * that you need a way to stop this behavior

    If you report directly to the trouble-causing manager, you have no way to
    solve your problem short of leaving before you get fired. It is career
    suicide to work for someone who blatantly abuses privileges they (rightly or
    wrongly) possess. This person will do everything in his/her power to deflect
    all blame toward you.

    If you don't work for this manager, what if you just change the admin
    password? Will there be any repercussions? Will your manager support your
    decision when this abusive manager complains his fun has been taken away?

    Steve Riley
    steriley@microsoft.com


    "Mac" <newsgroupRemove@Removehost111.com> wrote in message
    news:u$THQSF4EHA.2192@TK2MSFTNGP14.phx.gbl...
    > Hello,
    >
    > In our organization in adition to me one of the managers has the admin
    > password to 2000 active directory domain.
    >
    > He has recently learned to restart the stations using "shutdown -i" (he
    > uses the administrator account and he himself told me that he makes fun
    > by shutting down some people's computers)
    >
    > Is there any domain policy that can disable this feature and stop the
    > administrator from shutting down stations?
    >
    > This is going to cost my job.
    >
    > Regards,
    > Mac
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Quite the analysis Steve.

    I would propose that, even if OP does report to this manager, if you
    are right that the OP sooner or later will take heat or leave, it may be
    possible for the OP to change all admin passwords and refuse to
    disclose them unless//until this manager came to terms with just what
    responsible action is (assuming this is within their means).
    The manager would not elevate to next higher mgmt, the manager
    could not just discipline/releave the OP, . . . That manager would be
    between a rock and a hard place and would not want it to be known.

    The OP (assuming the bahaviors of the manager could be established)
    could certainly make a case for having prevented disruptive activity
    that was resulting in productivity loss. It is a matter of whether the
    remaining work environment would be breathable .
    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCDBA, MCSE W2k3+W2k+Nt4
    "Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
    news:ORgMOFM4EHA.3596@TK2MSFTNGP12.phx.gbl...
    > Which aspect of this problem is going to cost you your job --
    >
    > * that a non-admin person knows the admin password
    > * that this person gleefully causes denial of service attacks
    > * that you need a way to stop this behavior
    >
    > If you report directly to the trouble-causing manager, you have no way to
    > solve your problem short of leaving before you get fired. It is career
    > suicide to work for someone who blatantly abuses privileges they (rightly
    > or wrongly) possess. This person will do everything in his/her power to
    > deflect all blame toward you.
    >
    > If you don't work for this manager, what if you just change the admin
    > password? Will there be any repercussions? Will your manager support your
    > decision when this abusive manager complains his fun has been taken away?
    >
    > Steve Riley
    > steriley@microsoft.com
    >
    >
    >
    > "Mac" <newsgroupRemove@Removehost111.com> wrote in message
    > news:u$THQSF4EHA.2192@TK2MSFTNGP14.phx.gbl...
    >> Hello,
    >>
    >> In our organization in adition to me one of the managers has the admin
    >> password to 2000 active directory domain.
    >>
    >> He has recently learned to restart the stations using "shutdown -i" (he
    >> uses the administrator account and he himself told me that he makes fun
    >> by shutting down some people's computers)
    >>
    >> Is there any domain policy that can disable this feature and stop the
    >> administrator from shutting down stations?
    >>
    >> This is going to cost my job.
    >>
    >> Regards,
    >> Mac
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hello,

    Actually he is vice president of a bank with 300 branches and I can
    never win if I announce this. I'd rather stop this quietly.

    Regards,
    Mac
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    That is tough.
    Consider that "the Administrator" of the first DC is by the predefined
    default recovery agent for EFS
    I would suggest that you use this fact, that the (currently shared?)
    Administrator account has special properties, and (if you are a US firm)
    use the privacy of financial records laws, to motivate defining accounts
    for privileged use. Indicate that this is to assure accountability via the
    logging. Then, define accounts (not necessarily members of either the
    Administrators group or the Domain Admins group) that have delegated
    what is needed for the tasks to be done.
    Outline that transitioning to the use of personally unique privileged
    accounts
    is an essential part of a strategy for securing the environment and for
    complying with US laws.
    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCDBA, MCSE W2k3+W2k+Nt4
    "Mac" <newsgroupRemove@Removehost111.com> wrote in message
    news:eRMum9R4EHA.2316@TK2MSFTNGP15.phx.gbl...
    > Hello,
    >
    > Actually he is vice president of a bank with 300 branches and I can
    > never win if I announce this. I'd rather stop this quietly.
    >
    > Regards,
    > Mac
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Good strategic call!

    It bridges the gap between technical (almost nothing is impossible) vs what
    business really understands or cares about like SOX (or need to be educated
    if not).


    "Roger Abell [MVP]" wrote:

    > That is tough.
    > Consider that "the Administrator" of the first DC is by the predefined
    > default recovery agent for EFS
    > I would suggest that you use this fact, that the (currently shared?)
    > Administrator account has special properties, and (if you are a US firm)
    > use the privacy of financial records laws, to motivate defining accounts
    > for privileged use. Indicate that this is to assure accountability via the
    > logging. Then, define accounts (not necessarily members of either the
    > Administrators group or the Domain Admins group) that have delegated
    > what is needed for the tasks to be done.
    > Outline that transitioning to the use of personally unique privileged
    > accounts
    > is an essential part of a strategy for securing the environment and for
    > complying with US laws.
    > --
    > Roger Abell
    > Microsoft MVP (Windows Server System: Security)
    > MCDBA, MCSE W2k3+W2k+Nt4
    > "Mac" <newsgroupRemove@Removehost111.com> wrote in message
    > news:eRMum9R4EHA.2316@TK2MSFTNGP15.phx.gbl...
    > > Hello,
    > >
    > > Actually he is vice president of a bank with 300 branches and I can
    > > never win if I announce this. I'd rather stop this quietly.
    > >
    > > Regards,
    > > Mac
    >
    >
    >
Ask a new question

Read More

Domain Command Prompt Shutdown Windows