Click here to get back home

Admin rights
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Admin rights Justin Rich 09-05-2006
---> Re: Admin rights Roger Abell [MV...09-06-2006
`--> Re: Admin rights Steven L Umbach09-08-2006
Posted by Justin Rich on September 5, 2006, 11:27 am
Please log in for more thread options
 Is there a way to give a user admin rights on the server but prevent them
from changing the local administrator password?

I have some users that need to use RDP to get on to a server to monitor and
check things but as a security precaution i would like to make sure they
cant change the local admin password so that if any thing happens i at least
have a way to get on the server.

Thanks
Justin



Posted by Roger Abell [MVP] on September 6, 2006, 2:27 am
Please log in for more thread options
 If you try to limit what an admin account can do you only end
up frustrating the holders of those account and not unavoidably
limiting them. If they want to get around what you have done to
limit them badly enough they can and will.

Why do they need to be administrators?
Can you not grant sufficient for them to do the monitoring that
you have mentioned? They do not need to be admins to use
an RDP login, so evidently you are not finding a way to allow
a plain user account to do the monitoring??

> Is there a way to give a user admin rights on the server but prevent them
> from changing the local administrator password?
>
> I have some users that need to use RDP to get on to a server to monitor
> and check things but as a security precaution i would like to make sure
> they cant change the local admin password so that if any thing happens i
> at least have a way to get on the server.
>
> Thanks
> Justin
>



Posted by bharat on September 7, 2006, 3:19 pm
Please log in for more thread options
need the solution to this

Roger Abell [MVP] wrote:
>If you try to limit what an admin account can do you only end
>up frustrating the holders of those account and not unavoidably
>limiting them. If they want to get around what you have done to
>limit them badly enough they can and will.
>
>Why do they need to be administrators?
>Can you not grant sufficient for them to do the monitoring that
>you have mentioned? They do not need to be admins to use
>an RDP login, so evidently you are not finding a way to allow
>a plain user account to do the monitoring??
>
>> Is there a way to give a user admin rights on the server but prevent them
>> from changing the local administrator password?
>[quoted text clipped - 6 lines]
>> Thanks
>> Justin


Posted by Roger Abell [MVP] on September 7, 2006, 9:06 pm
Please log in for more thread options
> need the solution to this
>

To what?
To
>>> Is there a way to give a user admin rights on the server but prevent
>>> them from changing the local administrator password?
??
If so there is none. Admin is admin and controls all accounts.

> Roger Abell [MVP] wrote:
>>If you try to limit what an admin account can do you only end
>>up frustrating the holders of those account and not unavoidably
>>limiting them. If they want to get around what you have done to
>>limit them badly enough they can and will.
>>
>>Why do they need to be administrators?
>>Can you not grant sufficient for them to do the monitoring that
>>you have mentioned? They do not need to be admins to use
>>an RDP login, so evidently you are not finding a way to allow
>>a plain user account to do the monitoring??
>>
>>> Is there a way to give a user admin rights on the server but prevent
>>> them
>>> from changing the local administrator password?
>>[quoted text clipped - 6 lines]
>>> Thanks
>>> Justin
>



Posted by Robert Moir on September 6, 2006, 4:47 pm
Please log in for more thread options
Justin Rich wrote:
> Is there a way to give a user admin rights on the server but prevent
> them from changing the local administrator password?
>
> I have some users that need to use RDP to get on to a server to
> monitor and check things but as a security precaution i would like to
> make sure they cant change the local admin password so that if any
> thing happens i at least have a way to get on the server.

Long story short, you'd like them to be administrators and not to be
administrators, all at the same time.

Hmmm.



Similar ThreadsPosted
How2: User Rights on Domain but Admin Rights on Computer December 20, 2006, 3:40 pm
A question regarding admin rights and passwords for sbs November 30, 2005, 7:36 pm
new forms on print server without admin rights February 10, 2006, 9:51 am
Domain Users to have Local Admin rights April 28, 2006, 3:17 pm
Delegating Admin Rights in Windows 2003 September 25, 2007, 2:40 pm
Rights to allow non admin to close other users' files March 6, 2008, 6:18 am
Need limited domain admin rights user account. August 8, 2005, 2:33 pm
Terminal services-give a program admin rights January 10, 2006, 4:14 pm
Allowing a Domain User Admin Rights to a Couple of Domain Servers June 29, 2005, 8:13 pm
SQL Server Administrative rights VS DBA SA rights July 25, 2006, 8:30 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap