Sign in with
Sign up | Sign in
Your question

Urgent - Stop shutdown command from shuting down domain st..

Last response: in Windows 2000/NT
Share
December 12, 2004 9:12:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

In our organization in adition to me one of the managers has the admin
password to 2000 active directory domain.

He has recently learned to restart the stations using "shutdown -i" (he
uses the administrator account and he himself told me that he makes fun
by shutting down some people's computers)

Is there any domain policy that can disable this feature and stop the
administrator from shutting down stations?

This is going to cost my job.

Regards,
Mac
Anonymous
December 12, 2004 10:10:31 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Which aspect of this problem is going to cost you your job --

* that a non-admin person knows the admin password
* that this person gleefully causes denial of service attacks
* that you need a way to stop this behavior

If you report directly to the trouble-causing manager, you have no way to
solve your problem short of leaving before you get fired. It is career
suicide to work for someone who blatantly abuses privileges they (rightly or
wrongly) possess. This person will do everything in his/her power to deflect
all blame toward you.

If you don't work for this manager, what if you just change the admin
password? Will there be any repercussions? Will your manager support your
decision when this abusive manager complains his fun has been taken away?

Steve Riley
steriley@microsoft.com



"Mac" <newsgroupRemove@Removehost111.com> wrote in message
news:u$THQSF4EHA.2192@TK2MSFTNGP14.phx.gbl...
> Hello,
>
> In our organization in adition to me one of the managers has the admin
> password to 2000 active directory domain.
>
> He has recently learned to restart the stations using "shutdown -i" (he
> uses the administrator account and he himself told me that he makes fun
> by shutting down some people's computers)
>
> Is there any domain policy that can disable this feature and stop the
> administrator from shutting down stations?
>
> This is going to cost my job.
>
> Regards,
> Mac
>
Anonymous
December 13, 2004 12:45:26 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Quite the analysis Steve.

I would propose that, even if OP does report to this manager, if you
are right that the OP sooner or later will take heat or leave, it may be
possible for the OP to change all admin passwords and refuse to
disclose them unless//until this manager came to terms with just what
responsible action is (assuming this is within their means).
The manager would not elevate to next higher mgmt, the manager
could not just discipline/releave the OP, . . . That manager would be
between a rock and a hard place and would not want it to be known.

The OP (assuming the bahaviors of the manager could be established)
could certainly make a case for having prevented disruptive activity
that was resulting in productivity loss. It is a matter of whether the
remaining work environment would be breathable .
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:o RgMOFM4EHA.3596@TK2MSFTNGP12.phx.gbl...
> Which aspect of this problem is going to cost you your job --
>
> * that a non-admin person knows the admin password
> * that this person gleefully causes denial of service attacks
> * that you need a way to stop this behavior
>
> If you report directly to the trouble-causing manager, you have no way to
> solve your problem short of leaving before you get fired. It is career
> suicide to work for someone who blatantly abuses privileges they (rightly
> or wrongly) possess. This person will do everything in his/her power to
> deflect all blame toward you.
>
> If you don't work for this manager, what if you just change the admin
> password? Will there be any repercussions? Will your manager support your
> decision when this abusive manager complains his fun has been taken away?
>
> Steve Riley
> steriley@microsoft.com
>
>
>
> "Mac" <newsgroupRemove@Removehost111.com> wrote in message
> news:u$THQSF4EHA.2192@TK2MSFTNGP14.phx.gbl...
>> Hello,
>>
>> In our organization in adition to me one of the managers has the admin
>> password to 2000 active directory domain.
>>
>> He has recently learned to restart the stations using "shutdown -i" (he
>> uses the administrator account and he himself told me that he makes fun
>> by shutting down some people's computers)
>>
>> Is there any domain policy that can disable this feature and stop the
>> administrator from shutting down stations?
>>
>> This is going to cost my job.
>>
>> Regards,
>> Mac
>>
>
>
December 13, 2004 9:24:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

Actually he is vice president of a bank with 300 branches and I can
never win if I announce this. I'd rather stop this quietly.

Regards,
Mac
Anonymous
December 14, 2004 2:17:56 AM

Archived from groups: microsoft.public.win2000.security (More info?)

That is tough.
Consider that "the Administrator" of the first DC is by the predefined
default recovery agent for EFS
I would suggest that you use this fact, that the (currently shared?)
Administrator account has special properties, and (if you are a US firm)
use the privacy of financial records laws, to motivate defining accounts
for privileged use. Indicate that this is to assure accountability via the
logging. Then, define accounts (not necessarily members of either the
Administrators group or the Domain Admins group) that have delegated
what is needed for the tasks to be done.
Outline that transitioning to the use of personally unique privileged
accounts
is an essential part of a strategy for securing the environment and for
complying with US laws.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Mac" <newsgroupRemove@Removehost111.com> wrote in message
news:eRMum9R4EHA.2316@TK2MSFTNGP15.phx.gbl...
> Hello,
>
> Actually he is vice president of a bank with 300 branches and I can
> never win if I announce this. I'd rather stop this quietly.
>
> Regards,
> Mac
Anonymous
December 14, 2004 6:09:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Good strategic call!

It bridges the gap between technical (almost nothing is impossible) vs what
business really understands or cares about like SOX (or need to be educated
if not).


"Roger Abell [MVP]" wrote:

> That is tough.
> Consider that "the Administrator" of the first DC is by the predefined
> default recovery agent for EFS
> I would suggest that you use this fact, that the (currently shared?)
> Administrator account has special properties, and (if you are a US firm)
> use the privacy of financial records laws, to motivate defining accounts
> for privileged use. Indicate that this is to assure accountability via the
> logging. Then, define accounts (not necessarily members of either the
> Administrators group or the Domain Admins group) that have delegated
> what is needed for the tasks to be done.
> Outline that transitioning to the use of personally unique privileged
> accounts
> is an essential part of a strategy for securing the environment and for
> complying with US laws.
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "Mac" <newsgroupRemove@Removehost111.com> wrote in message
> news:eRMum9R4EHA.2316@TK2MSFTNGP15.phx.gbl...
> > Hello,
> >
> > Actually he is vice president of a bank with 300 branches and I can
> > never win if I announce this. I'd rather stop this quietly.
> >
> > Regards,
> > Mac
>
>
>
!