Limited Admin Permissions

I need an admin account whose password other admin accounts can't change.

The Microsoft way to make the administrator password inaccessible to other
administrators is to force the creation of another security scope: a new
box, a new domain, a new virtual machine.

What I need is a way to keep battling adminstrators of the same domain from
locking each other out.

Can this be done, with or without other tools?

The need is especially acute on laptops, whose owners should, kind of, have
admin permissions, anyway. Some people are nice and won't mess with you.
But you get wretched people too, people who should probably be driving cabs
but get hired anyway who will make me use ERD to recover the password.

Isn't anyway to get a programmer into Internet Services Manager without
making him an admin? This is just wrong. I need to withhold configuration
control from warring programmers.

Considering these problems, I'm amazed Microsoft ever sold copy 1 in an
enterprise environment. Nice desktop, but as an enterprise OS, the security
features are lacking.

Hello Robert,

See my reply in microsoft.public.windows.server.active_directory

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I need an admin account whose password other admin accounts can't
> change.
>
> The Microsoft way to make the administrator password inaccessible to
> other administrators is to force the creation of another security
> scope: a new box, a new domain, a new virtual machine.
>
> What I need is a way to keep battling adminstrators of the same domain
> from locking each other out.
>
> Can this be done, with or without other tools?
>
> The need is especially acute on laptops, whose owners should, kind of,
> have admin permissions, anyway. Some people are nice and won't mess
> with you. But you get wretched people too, people who should probably
> be driving cabs but get hired anyway who will make me use ERD to
> recover the password.
>
> Isn't anyway to get a programmer into Internet Services Manager
> without making him an admin? This is just wrong. I need to withhold
> configuration control from warring programmers.
>
> Considering these problems, I'm amazed Microsoft ever sold copy 1 in
> an enterprise environment. Nice desktop, but as an enterprise OS, the
> security features are lacking.
>

"Robert Hindla" <> wrote in message
news:C61236D5.1D58C%...
>I need an admin account whose password other admin accounts can't change.

can't be done. "a domain admin in a domain is a domain admin" - to
paraphrase your other post on the subject.

> The Microsoft way to make the administrator password inaccessible to other
> administrators is to force the creation of another security scope: a new
> box, a new domain, a new virtual machine.

Another method is to scale back the "domain admins" to OU admins...

> What I need is a way to keep battling adminstrators of the same domain
> from
> locking each other out.

Sounds more like an HR problem.

It is difficult to give people privileges without also having to trust them
to use them appropriately. Maybe you need auditing so you can figure out
after the fact who has been using the domain for his own private combat
games...

> Can this be done, with or without other tools?
>
> The need is especially acute on laptops, whose owners should, kind of,
> have
> admin permissions, anyway. Some people are nice and won't mess with you.
> But you get wretched people too, people who should probably be driving
> cabs
> but get hired anyway who will make me use ERD to recover the password.
>
> Isn't anyway to get a programmer into Internet Services Manager without
> making him an admin? This is just wrong. I need to withhold
> configuration
> control from warring programmers.

I kind of agree with you on that one.

> Considering these problems, I'm amazed Microsoft ever sold copy 1 in an
> enterprise environment. Nice desktop, but as an enterprise OS, the
> security
> features are lacking.

Apparently, since they have sold significantly more than one copy in the
enterprise environment, you might be missing part of the reality here.

/Al