Re: Invisible Admin account

If they are admin they can change the password.

hth
DDS W 2k MVP MCSE

"Bill Judd" <u18680@uwe> wrote in message news:5bd4f41346e3a@xxxxxx
The reason why they give all local users admin priviledges as opposed to
just
power user priviledges is taht we have a large amount of users that travel
extensively and are remote users. We have found that by only giving these
users power user rights, they have issues with the installation of some
applications, upgrades, and hardware when it is required. The only down
side
that we have found to giving them administrator access is that they have
the
rights if they can see the account to change the password for that
account.
If there was a way to create an invisible account that they could not see,
then they could not change the password, thus creating a back door into
the
machine if we needed it in the future. The only thing that I don't want
the
users to be able to do is to change the Administrator password on the
local
machine.

Danny Sanders wrote:
Adminstrator account that another user with administrator access could
not
change the password for, or make this account invisible to all other
users.

The problem with that is anything you can do as an admin they, as an
admin,
can undo.

What is the reason (other than company policy) that the users have to be
administrator?

I see two ways to remedy this, the first is obvious, remove their admin
privileges.

The other way would be a written policy defining what they can and can't
do
with the admin account. Have your users sign off on it. For this to work,
management would have to be behind you. Just explain to management how
the
policy of putting your users in the admin group, they can circumvent
security policies put in place by you.

hth
DDS W 2k MVP MCSE

How can I create a local admin account with all administrator privildges
that
[quoted text clipped - 17 lines]

Any suggestions would be greatly appreciated and welcomed.


.

Relevant Pages

  • Re: Use of credentials with UAC in vista
    ... user's account, from a command prompt with 'run as administrator' privledges, and it failed saying access denied. ... The user's account has power user permissions. ... There is no more Power User on Vista, ... It also appears from reading the above article that it did indeed cache my admin credentials. ...
    (microsoft.public.windows.vista.general)
  • Re: Incoming E-Mail - cant create contact in OU
    ... central admin pool different than the web app. ... that account a little (if the web app is compromised or something, ... So I started with giving the app pool account domain admins permissions then ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Security Breach in AD! Help!
    ... > about 5 minutes the user was removed from the built in admin group. ... > changed the default domain policy, the default domain controller policy, ... >> auditing of account logon for success and failure and account management ... >> success and failure in Domain Controller Security Policy. ...
    (microsoft.public.win2000.security)
  • Re: We are there--everything is perfect, except: Power User/Adminstrator
    ... > Power User Account and use that most of the time, ... > of one of the administrator accounts to it? ... using (I'm not sure if you'll have to log out then log in as admin to do ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: cant verify disk
    ... She went to DU, and when she pressed "verify disk", it asked her user ... Disk Utility has required an administrator name and password for certain ... This is clearly a task which requires admin privileges, ... seriously mucked up with her user account settings in the NetInfo ...
    (comp.sys.mac.system)