Announcement

Collapse
No announcement yet.

prevent admins from changing administartor password?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • prevent admins from changing administartor password?

    hey there.

    we give everyone admin rights on their laptops. i just had a new (remote) user asking me how to changes his login password. he says he was able to change the administrator password, but not his own. arghhh!

    so, is there policy or a script where i can keep admin users from f'ing up the local administrator account?

    thx!

    ----------------
    Now playing: The Byrds - Mind Gardens
    via FoxyTunes

  • #2
    Re: prevent admins from changing administartor password?

    Essentially no - if you did enforce a limitation, an administrator could overcome it, and if you setup something to change the password to a preset value at regular intervals, it would have to run as a user with administrative priviliges. If the users are domain users with roaming profiles on the laptops though, then just tick the box "User cannot change password" in the Account tab of their user account properties in ADUC.

    I'm sure I don't need to explain to you though why giving users administrative perrmissions is not advisable.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: prevent admins from changing administartor password?

      thx gforce.

      first: yes, i'm well aware of the problems associated with giving users admin rights. i feel the pain every day, but it was not my decision to make.

      hmmm, i kinda like the idea of preventing password change, though of course that's bad security, as well. also, it doesn't really address my remote users using their cached profiles (until they get back in the office, that is).

      still, worth considering, thx!

      edit: okay, i just tested this and while it prevents the user from changing his/her own password, it still allows him/her to change any other password via the control panel. i got some thinkin' to do...
      Last edited by shmengie; 12th December 2008, 23:16.

      Comment


      • #4
        Re: prevent admins from changing administartor password?

        i'm so smart, here's what i did:

        i edited our existing policy to hide the 'user accounts' applet. (sure, it won't stop a savvy user from going into management and changing a password from there. this is more to keep honest folks honest).

        thx again for the input.

        Comment


        • #5
          Re: prevent admins from changing administartor password?

          For reference, Optimum X offer a large number of free utilities which you may find useful. In particular, the first two in the list - Account Manager and BuiltIn Account Manager http://www.optimumx.com/download/

          You can use these tools to manage local accounts on domain workstations without having to visit each station in turn.

          They will not manage local groups - use Group Policy Restricted Groups to manage domain user membership of local groups.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: prevent admins from changing administartor password?

            Kinda defeats the purpose of implementing a GPO if you give everyone admin rights.

            2 cents...

            Comment


            • #7
              Re: prevent admins from changing administartor password?

              I've to agree with Mudd...
              Why is everyone an (I assume local) admin?
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: prevent admins from changing administartor password?

                yes, yes, yes...as stated, i know all about admin rights for users. i believe the thinking is that if a user is on the road and needs to install an app, or whatever, they can. let's say a user wants to defrag his hard drive (why on earth is this still an admin only function?!??!).

                anyways, this policy was in place before i got here, and it is what it is.

                Comment


                • #9
                  I'll give you guys a very good reason for their to be an Administrator and an Admin Jr ( so to say ). My company is in the first stages of a very hostile takeover and it's only a matter of time before someone asks me for my Administrator password. Well not even the CEO knows what it is. I tell no one. Anyway, I know the minute I give them that password the first thing they will do is lock my ass out. No greater fear then being locked out of your own server. Now if we could create a level just under Administrator and give them all rights except password change.....well then I wouldn't worry. Make sense? And you guys are right Don't ever give everyone admin rights. Hell I don't even go online as Admin.

                  Comment

                  Working...
                  X