Re: Super Admin Account

From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
Date: Wed, 16 Aug 2006 17:13:08 +0100

Hi

Does he usually go to servers and mess with that?

Does he have sufficient knowledge to mess with DCs?

He no:

Here's my advice... Rename the Administrator account, create a new account
named administrator give him local Administrator permissions (on his
workstation not on the Servers).

If he usually needs to go to server and mess with everything, than you
should warning about the consequences of these actions, and remove your
responsibility for that, enable auditing on AD to check who is changing
things around.

As for the permissions change question, if the users belong to any of the
windows protected groups the permissions are hourly reset by the
AdminSDHolder.

Windows 2000
Enterprise Admins
Schema Admins
Domain Admins
Administrators
Administrators
For Windows 2000 SP4 or Windows 2003
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers

http://support.microsoft.com/?kbid=232199

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"whitehouse78" <whitehouse78@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2C509729-F1A3-4603-8BC4-AAE7E7A9F068@xxxxxxxxxxxxxxxx

The owner of my company wants a "Super Admin" account for himself. He
wants
this account to be the controller of everything, with no one being able to
make any changes to this account. As it stands, we do not use the built
in
admin account, and have 4 domain admins... Is what he is asking for
possible?

Prev by Date: Re: Super Admin Account
Next by Date: Re: Workstation only sees 1 network share
Previous by thread: Re: Super Admin Account
Next by thread: Re: Super Admin Account
Index(es):
- Date
- Thread

Relevant Pages

Re: Access and roles in DCOM technology
... account should definitely not be. ... The 4 servers interact via DCOM technology. ... If this user is local administrator on 4 servers everything works ... > user so the DCOM technology will work between the servers? ...
(microsoft.public.security)
Re: MS Exchange Relay Authentication
... I've seen this on a few servers in various environments. ... The account was still named Administrator ... It seems that account passwords are being cracked. ...
(NT-Bugtraq)
Re: Administrator Account Locking Out
... the Administrator account, or possibly our RADIUS server might be using it ... 2003 Servers and Windows 2000 servers. ... I have looked in both the event logs, turned on netlogon logging, etc. ...
(microsoft.public.windows.server.active_directory)
Re: The very strange problem about Win XP and Win 2K server
... Sounds to me like account Administrator exists on one of the servers ... Administrator account on one but not on the other. ... My local machine & the 2 servers are all ...
(microsoft.public.win2000.security)
Re: Changing Administrator Password On Server 2003 Domain Controll
... you should limit use of Administrator account for logging into domain ... It is in fact the Domain Administrator password I am speaking of. ... the same password will then be required on DC Two and the Member Servers ... on domain controllers there is DSRM ...
(microsoft.public.windows.server.general)