2 questions regarding the Admin account

April 12, 2011 at 08:19:22
Specs: Windows Vista
Hi. I'm trying to setup a security policy and am a bit stuck - and wonder whether anyone can help me. I've got 2 questions that I can't seem to find the answers to.

1. Is it possible to set up a master system administrator account under a Windows Server OS that is protected from interference by other system administrators?

2. Is there a way to set up a user with all privileges necessary to maintain a system under Windows server except the ability to set up and modify usercodes and passwords?

I've tried searching on the internet for hours, but keep getting responses for Server Administrator jobs - and can't seem to pinpoint any specific answer. Thanks so much for your help.

See More: 2 questions regarding the Admin account

Report •

April 12, 2011 at 14:49:12
Administrator is the master account. There are precanned groups in server 2008 like Domain Admins and so on that may have access to make changes to the Administrator account (this is so you can undo mistakes from another account). Just do not assign users to these groups if you don't want them to have access. You can change owner ships on the the OUs. Check this out...


Report •

April 12, 2011 at 15:42:56
1. No.

The Administrators group is by design the most powerful user group in a Windows OS. Any member can alter any account in the system. All attempts to limit their power will fail. Whatever obstacles you put in their path they can avoid. All members of this group are equal. This is all a part of the nature of the account. The Administrator account is a little different but that has no relevance to your situation.

Report •

April 13, 2011 at 01:08:00
1. Yes. If you are using Active Directory then the Administrator account is more powerful than accounts in the "Administrators" group. Best practice is to never use this account for day-to-day use; set a really complex password, write it down and put it in a safe accessible only to one or two very trusted people. The create accounts that you put in the "Administrators" and/or "Domain Administrators" group for day-to-day use.

2. Yes. It's possible to set up "limited Administrators" who you allow to do only the tasks that you wish to delagate to them. Have a look at this article for more details.

These details are quite complicated so to really understand a Windows Domain you need to go on a course or else study a very good book on the subject. The definitive reference is the Windows Server Resource Kit. Expensive, but worth its weight in gold.

Report •
Related Solutions

Ask Question