Security on Administrative Tools

From: MT DOJ Help Desk (NoEmail_at_Please.com)
Date: 03/25/04 

Date: Thu, 25 Mar 2004 00:52:55 -0700

We have recently upgraded our computers to XP, and now we are in the process
of creating user accounts. We have two machines that are shared by a number
of employees. Because of the nature of our work, each user account on these
two machines needs to have administrative priviledges. However, with
administrative priviledges also comes the ability to create, edit, and
delete accounts, which we would like to lock down so that only one user can
do those things.

I've tried removing the Administrators group from the permissions on
compmgmt.msc and mmc.exe, and then adding a specific user account to the
permissions on those files, and that does make it hard enough to access the
Computer Management tool that most of our users won't be able to get past
those measures. However, no matter what I tried, I found that I could
always find a way to get in to Computer Management. When signed on with an
account that did not have permissions on the files, but that was part of the
Administrators group, all I had to do was take ownership, and then add the
account to the permissions on the files. Besides, there are other ways to
create, edit, and delete accounts. A user could access the User Accounts
applet in the Control Panel, or add the Computer Management snap-in to a
console--even when they don't have the permissions to run it directly--and
use it that way. So I'd like to find a more systemic solution, if possible.

Is there a way to make it so that an account that is part of the
Administrators group is completely locked out of the ability to create,
edit, and delete accounts? Likewise, is it possible to prevent accounts
belonging to the Administrators group from doing certain things, like
formatting the hard drive, so that those kinds of functions can be
restricted to a single account?

--Tom

Relevant Pages

  • Re: Unable to delegate "Reset user passwords and force password change at next logon"
    ... Also make sure they are NOT members of account operators group, ... AdminSDHolder will reset the permissions hourly. ... The user accounts in question are not _currently_ ...
    (microsoft.public.windows.server.security)
  • Re: folders lost after creating restricted user acct. How to find?
    ... The files in your Administrator account are still there, but a Limited user account cannot see them, due to NTFS file permissions. ... Log on with the Administrator account and if needed, give access permissions to the other user accounts you created. ... Disable Simplified Sharing and Password-Protect a Shared Folder in Windows XP ...
    (microsoft.public.windowsxp.security_admin)
  • customer user accounts and internal user accounts on same domain
    ... Hi, I'm trying to dissuade management from allowing user accounts to be created on the same domain as our company users for what I feel are obvious reasons, but when pressed for specific issues I'm at a bit of a loss. ... Not giving any unnecessary rights due to inheritance, but rather having to apply the appropriate permissions rather than remove permissions to attain the desired result ... If you are not an intended recipient, ...
    (Focus-Microsoft)
  • Re: Computer user & domain user
    ... I normally configure two accounts for each workstation. ... Administrators group, it works fine. ... >> software between computer user & domain user in a Windows XP Pro ... > will automatically have permissions for domain users too. ...
    (microsoft.public.windowsxp.network_web)
  • Re: FTP Login
    ... I have configured ftp servers in IIS many times and it does not behave ... consistently with regard to ntfs permissions with domain user accounts. ...
    (microsoft.public.windows.server.sbs)