Limited Admin Permissions

Discussion in 'Server Security' started by Robert Hindla, Apr 20, 2009.

  1. I need an admin account whose password other admin accounts can't change.

    The Microsoft way to make the administrator password inaccessible to other
    administrators is to force the creation of another security scope: a new
    box, a new domain, a new virtual machine.

    What I need is a way to keep battling adminstrators of the same domain from
    locking each other out.

    Can this be done, with or without other tools?

    The need is especially acute on laptops, whose owners should, kind of, have
    admin permissions, anyway. Some people are nice and won't mess with you.
    But you get wretched people too, people who should probably be driving cabs
    but get hired anyway who will make me use ERD to recover the password.

    Isn't anyway to get a programmer into Internet Services Manager without
    making him an admin? This is just wrong. I need to withhold configuration
    control from warring programmers.

    Considering these problems, I'm amazed Microsoft ever sold copy 1 in an
    enterprise environment. Nice desktop, but as an enterprise OS, the security
    features are lacking.
     
    Robert Hindla, Apr 20, 2009
    #1
    1. Advertisements

  2. Hello Robert,

    See my reply in microsoft.public.windows.server.active_directory

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 20, 2009
    #2
    1. Advertisements

  3. Robert Hindla

    Al Dunbar Guest

    can't be done. "a domain admin in a domain is a domain admin" - to
    paraphrase your other post on the subject.
    Another method is to scale back the "domain admins" to OU admins...
    Sounds more like an HR problem.

    It is difficult to give people privileges without also having to trust them
    to use them appropriately. Maybe you need auditing so you can figure out
    after the fact who has been using the domain for his own private combat
    games...
    I kind of agree with you on that one.
    Apparently, since they have sold significantly more than one copy in the
    enterprise environment, you might be missing part of the reality here.

    /Al
     
    Al Dunbar, Apr 21, 2009
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.