No announcement yet.

Password Changing

  • Filter
  • Time
  • Show
Clear All
new posts

  • Password Changing

    I have been asked by the CEO (boss!) that only she and the IT manager should have the ability to change her password.

    The System Administrator is the one who changes passwords etc. on a daily basis and just about everything else too.

    Is this possible? At first, i thought no but i wonder what others think!

  • #2
    Re: Password Changing

    As far as im aware the user themselves, account operators and domain admins (and above) can change password. And this cant be changed. you could try playing with the security of the object... but that might break other things.. ONLY TRY THIS ON A TEST SETUP!

    Sounds like a paranoid CEO!!

    EDIT: My suspicions were correct - have a play with that maybe?? :
    Attached Files
    Last edited by tonyyeb; 18th October 2005, 14:41.
    Server 2000 MCP
    Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **


    • #3
      Re: Password Changing

      I'm assuming that the system admin is a domain admin and that you dont want to remove him from domain admin so that he can continue to do his job. what i would do is this. in the pic tonyyeb showed you add in that admins user account and set deny permssion to change password on your bosses account. or maby deny permission compeletly on his account. either way it would be super easy for the admin to get the access back on his own but you can show the CEO that when he tries he gets the great access denied message and the CEO wont be any wiser. in terms of actual security though not much you can do if you gonna keep him a domain admin.
      MCSE 2000\2003, A+


      • #4
        Re: Password Changing

        Thanks Tony.

        One idea is to delegate an OU to the IT manager, give them him the ability to do want he wants in the OU and lock the Systems Admin out with a deny.

        But the problem is not letting the Systems Admin seize control back...


        • #5
          Re: Password Changing

          you are Domain Admin = you 0wn the domain. No matter what you do to lock some objects, a domain admin can ALWAYS take over and get the control back.

          I would suggest the combination of the already mentioned: grant explicit DENY to Domain Admins/Account Ops on Reset Password and make sure you are auditing ACL changes of CEO's account. This way, even if someone takes over, the action will be logged in security logs.
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"