Restricting the change of the local administrator account password.

ddraiggoch_at_coldyne.com
Date: 05/05/04

  • Next message: marco2: "RE: Restricting the change of the local administrator account password." 
    Date: Wed, 5 May 2004 08:34:25 -0600 (MDT)
To: focus-ms@securityfocus.com

    Hi All,

    Ive come accross quite an interesting problem, currently I have an
    environment split into categories such as application management, OS
    management etc on the Windows 2000 and 2003 platform's. On the application
    side we get requests form application administrators to get full
    administrative rights on the system which is accepted on domain accounts.

    However, should this user decide to change the local administrator account
    under windows then there is nothing to restrict them doing so as I can
    see. This in essence causes an issue where the OS team builds the system
    with a renamed admin account, and a specific password. This isnt disabled
    as it is relied on should the domain become unavailable and access is
    still required.

    So my question to you all is as follows, how do I restrict the ability to
    change the local administrator password, even at the level of a domain
    account specified as administrator in the local group. Is there a setting
    in woindows that can be turned on so that without knowing what the
    password is the change cannot be made unless you type in the old password,
    new password , and its confirmation?

    Regards

    Jason.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: marco2: "RE: Restricting the change of the local administrator account password."

    Relevant Pages