Re: Administrator account / Domian Addmin rights
From: Marty (Marty_at_discussions.microsoft.com)
Date: 12/10/04
- Next message: Dave Patrick: "Re: Mysterious Activity>"
- Previous message: Ted: "Os2 Subsystem reinstall"
- In reply to: Roger Abell: "Re: Administrator account / Domian Addmin rights"
- Next in thread: Roger Abell: "Re: Administrator account / Domian Addmin rights"
- Reply: Roger Abell: "Re: Administrator account / Domian Addmin rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 10 Dec 2004 07:05:32 -0800
Roger;
Thanks for your answer. My question was to do with the Domain Administrator
account and the Domain Admin group. It's not that I don't trust my Domain
Admins, it's a issue of forcing accountability. I'me in an organization that
has been doing things a certain way for awhile now and that is that when
someone logs into a server, they useally use that domain administrator
account and password, not there own log information and I want them to use
there own accounts so that we have tracking of what and who does what. My
hope was to force them to this buy changing the domain administrator paswword
and not tellng them, but it accured to me that they could just go in and
change the passwrod if they wanted to. Now granted, I would have a record
that they would change it and could question then about it, but I was hoping
to not have to bother with that.
Also, we are creatating a child domain for a new company that we just
bought, and I wanted to set the domain adminisrtator account for that and not
give them the password and put a couple of guys out there in the domain admin
group and agian, not let them have the ability to change the domain
administrator password.
It was just a thought.
Marty
"Roger Abell" wrote:
> I believe the answer is that you do not / cannot not do that.
> The old story is "if you cannot trust their actions do not make
> them admins"
>
> Your exact question is a little fuzzy. To ask about settings a
> pwd for a domain admin. But then you speak of admin account
> almost as if it is not a domain admin account.
> If you are speaking of a machine local account, that is in the
> local administrators group, then it is possible to remove the
> domain admins group from the machine local administrators
> group - in which case only local admins can change the password
> of a local account. Of course, policies and agreements under
> which the machine is allowed to join the domain may prevent
> you from doing this.
> If you speak of a domain account, then any domain admin can
> reset the password and can any account in the domain's
> Administrators group (whether it is in the Domain Admins or
> not).
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Marty" <Marty@discussions.microsoft.com> wrote in message
> news:44D7C780-0C00-4E21-8BD0-9ADDAA3BD68D@microsoft.com...
> > I want to set a password for my domain admin, but I don't anyone but the
> > admin account to be able to change it. So my question is how do I revoke
> the
> > rights to change the admin password from all my accounts, including my
> domain
> > admins? Or would it be better to just disable the admin account?
> >
> > Marty
>
>
>
- Next message: Dave Patrick: "Re: Mysterious Activity>"
- Previous message: Ted: "Os2 Subsystem reinstall"
- In reply to: Roger Abell: "Re: Administrator account / Domian Addmin rights"
- Next in thread: Roger Abell: "Re: Administrator account / Domian Addmin rights"
- Reply: Roger Abell: "Re: Administrator account / Domian Addmin rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
