prevent admins from changing administartor password?

Home Forums Microsoft Networking and Management Services GPO prevent admins from changing administartor password?

This topic contains 8 replies, has 5 voices, and was last updated by  bsudhakar81 1 year, 3 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts

  • shmengie
    Member
    #137633

    hey there.

    we give everyone admin rights on their laptops. i just had a new (remote) user asking me how to changes his login password. he says he was able to change the administrator password, but not his own. arghhh!

    so, is there policy or a script where i can keep admin users from f’ing up the local administrator account?

    thx!


    Now playing: The Byrds – Mind Gardens
    via FoxyTunes

    #342314

    Re: prevent admins from changing administartor password?

    Essentially no – if you did enforce a limitation, an administrator could overcome it, and if you setup something to change the password to a preset value at regular intervals, it would have to run as a user with administrative priviliges. If the users are domain users with roaming profiles on the laptops though, then just tick the box “User cannot change password” in the Account tab of their user account properties in ADUC.

    I’m sure I don’t need to explain to you though why giving users administrative perrmissions is not advisable.


    shmengie
    Member
    #247182

    Re: prevent admins from changing administartor password?

    thx gforce.

    first: yes, i’m well aware of the problems associated with giving users admin rights. i feel the pain every day, but it was not my decision to make.

    hmmm, i kinda like the idea of preventing password change, though of course that’s bad security, as well. also, it doesn’t really address my remote users using their cached profiles (until they get back in the office, that is).

    still, worth considering, thx!

    edit: okay, i just tested this and while it prevents the user from changing his/her own password, it still allows him/her to change any other password via the control panel. i got some thinkin’ to do…


    shmengie
    Member
    #247183

    Re: prevent admins from changing administartor password?

    i’m so smart, here’s what i did:

    i edited our existing policy to hide the ‘user accounts’ applet. (sure, it won’t stop a savvy user from going into management and changing a password from there. this is more to keep honest folks honest).

    thx again for the input.

    #342319

    Re: prevent admins from changing administartor password?

    For reference, Optimum X offer a large number of free utilities which you may find useful. In particular, the first two in the list – Account Manager and BuiltIn Account Manager http://www.optimumx.com/download/

    You can use these tools to manage local accounts on domain workstations without having to visit each station in turn.

    They will not manage local groups – use Group Policy Restricted Groups to manage domain user membership of local groups.


    Mudd
    Member
    #319542

    Re: prevent admins from changing administartor password?

    Kinda defeats the purpose of implementing a GPO if you give everyone admin rights.

    2 cents…


    Dumber
    Member
    #199131

    Re: prevent admins from changing administartor password?

    I’ve to agree with Mudd…
    Why is everyone an (I assume local) admin?


    shmengie
    Member
    #247184

    Re: prevent admins from changing administartor password?

    yes, yes, yes…as stated, i know all about admin rights for users. i believe the thinking is that if a user is on the road and needs to install an app, or whatever, they can. let’s say a user wants to defrag his hard drive (why on earth is this still an admin only function?!??!).

    anyways, this policy was in place before i got here, and it is what it is.


    bsudhakar81
    Member
    #391843

    I’ll give you guys a very good reason for their to be an Administrator and an Admin Jr ( so to say ). My company is in the first stages of a very hostile takeover and it’s only a matter of time before someone asks me for my Administrator password. Well not even the CEO knows what it is. I tell no one. Anyway, I know the minute I give them that password the first thing they will do is lock my ass out. No greater fear then being locked out of your own server. Now if we could create a level just under Administrator and give them all rights except password change…..well then I wouldn’t worry. Make sense? And you guys are right Don’t ever give everyone admin rights. Hell I don’t even go online as Admin.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.