Administrator account / Domian Addmin rights

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I want to set a password for my domain admin, but I don't anyone but the
admin account to be able to change it. So my question is how do I revoke the
rights to change the admin password from all my accounts, including my domain
admins? Or would it be better to just disable the admin account?

Marty
 
I believe the answer is that you do not / cannot not do that.
The old story is "if you cannot trust their actions do not make
them admins"

Your exact question is a little fuzzy. To ask about settings a
pwd for a domain admin. But then you speak of admin account
almost as if it is not a domain admin account.
If you are speaking of a machine local account, that is in the
local administrators group, then it is possible to remove the
domain admins group from the machine local administrators
group - in which case only local admins can change the password
of a local account. Of course, policies and agreements under
which the machine is allowed to join the domain may prevent
you from doing this.
If you speak of a domain account, then any domain admin can
reset the password and can any account in the domain's
Administrators group (whether it is in the Domain Admins or
not).
 
Roger;

Thanks for your answer. My question was to do with the Domain Administrator
account and the Domain Admin group. It's not that I don't trust my Domain
Admins, it's a issue of forcing accountability. I'me in an organization that
has been doing things a certain way for awhile now and that is that when
someone logs into a server, they useally use that domain administrator
account and password, not there own log information and I want them to use
there own accounts so that we have tracking of what and who does what. My
hope was to force them to this buy changing the domain administrator paswword
and not tellng them, but it accured to me that they could just go in and
change the passwrod if they wanted to. Now granted, I would have a record
that they would change it and could question then about it, but I was hoping
to not have to bother with that.

Also, we are creatating a child domain for a new company that we just
bought, and I wanted to set the domain adminisrtator account for that and not
give them the password and put a couple of guys out there in the domain admin
group and agian, not let them have the ability to change the domain
administrator password.

It was just a thought.

Marty
 
There is (almost) no difference between one Domain Admins member
and another, except that they are different accounts. The domain account
named Administrator (initially) has a couple differences.
In my opinion, if it is accountability you are after, you should not be
sharing an empowered account between people, except under very
restrictive policies. Rather, give each (of the hopefully very few)
an individual account, and a set of guidelines for acceptible use.
Only used one x, y, z machines - no log on elsewhere; only used when
that priv is necessary, not used otherwise. etc.

The best thing however is to not provide Domain Admins membership,
but to look at what these people each do, and delegate to them. There
really is only a small amount of things that must be done with a Domain
Admin account, or even with an account that is member in the domain's
Administrators group (which is quite different from Domain Admins an
has a much more restricted scope of privs).

If you must share and account, make it so it can only log in at specific
consoles, and the process for gaining physical access to those will
help document who what there when.

Finally - every administrator should know that changing the password
of any other account _is_not_to_be_done_ , even for just a plain user,
except as a last resort. Resetting the password of an account breaks its
EFS usage in post-W2k. For the built-in Adminsitrator account, or
whichever has been set as the default DRA, this can be tragic.
 
Back
Top