|Subject:||How to limit admin account permissions.|
|Posted by:||Robert Hindla (rhind…@panix.com)|
|Date:||Mon, 20 Apr 2009|
I need an admin account whose password other admin accounts can't change.
The Microsoft way to make the administrator password inaccessible to other
administrators is to force the creation of another security scope: a new
box, a new domain, a new virtual machine.
What I need is a way to keep battling adminstrators of the same domain from
locking each other out.
Can this be done, with or without other tools?
The need is especially acute on laptops, whose owners should, kind of, have
admin permissions, anyway. Some people are nice and won't mess with you.
But you get wretched people too, people who should probably be driving cabs
but get hired anyway who will make me use ERD to recover the password.
Isn't anyway to get a programmer into Internet Services Manager without
making him an admin? This is just wrong. I need to withhold configuration
control from warring programmers.
Considering these problems, I'm amazed Microsoft ever sold copy 1 in an
enterprise environment. Nice desktop, but as an enterprise OS, the security
features are lacking.