Re: can a sysadmin change the win2000 domain admin password ?

From: BP Margolin (bpmargo@attglobal.net)
Date: 02/10/03 

From: "BP Margolin" <bpmargo@attglobal.net>
Date: Mon, 10 Feb 2003 15:24:09 -0500

sniper,

Pretty obviously if the person is a member of the Builtin\Administrator
account, then the person is an OS administrator as well, so such a person
could change the password of the OS administrator account ... but not
because the person has membership in the Builtin\Adminiistrator account ...
but because the person is an OS administrator.

If an non-OS administrator is a member of the SysAdmin role, then that
person does not have permissions to change the password of the OS
administrator account.

Sort of related ... a person who is a member of the SysAdmin role can
shutdown SQL Server. But a non OS administrator who is a member of the SQL
Server SysAdmin role can not startup SQL Server as a service. Starting
services is a privilege at the OS level, and has nothing to do with the fact
that someone may be a member of the SQL Server SysAdmin role .

-------------------------------------------
BP Margolin
Please reply only to the newsgroups.
When posting, inclusion of SQL (CREATE TABLE ..., INSERT ..., etc.) which
can be cut and pasted into Query Analyzer is appreciated.

"sniper" <andyrightin@yahoo.com> wrote in message
news:057701c2d0ea$49394590$a101280a@phx.gbl...
> Hi,
> My query is simple ...we know that the
> Builtin\Administrator account can change the sa password
> or reset it right
> is the reverse possible ????
> especially of a win2k domain ?
> can a sysadmin change the win2000 domain administrator
> password ?
>
> any or some help will be appreciated !!
> sniper

Relevant Pages

  • Re: Login as local admin
    ... So if i basically ensure that my domain administrator account is a member of ... the schema admins, and enterprise admins, and login using these credentials, ... The article does not reference "local" administrator (as far as I ... If you choose to use an account other than the built-in administrator ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows Service - Event Log
    ... I didn't say the Administrator account. ... Administrators group on the local machine." ... I didn't advocate using a member of the Administrator's group; ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Setting a password on an AD account...
    ... I assume it's running in a restricted account right? ... You don't use SSL to bind, and as this runs from a server which is not a domain member (a ... this one fails when the current user is not an administrator on the DC. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Local user privileges
    ... On AD the user is member of "domain users". ... can see that the user login into the domain has administrator privileges. ... So my only option is to set the local account to ...
    (microsoft.public.win2000.group_policy)
  • RE: DTS Error
    ... So the creator of the package has no relevance here. ... Any member of the sysadmin role and the job executes as the SQL Server Agent Service Account ... If the "runner" is not a member of the sysadmin role then the job is executed as the proxy account. ...
    (microsoft.public.sqlserver.dts)