Create SuperAdmin to moderate Administrator behaviour

[Guest]

We have the standard Administrator Account that created the domain. I want to create a SuperAdmin so that I can protect some user folders. The user obviously wants full control and trusts the SuperAdmin to have access - but wants to exclude Administrator from peeking. Too many people know the Administrator Password and will continue to use it for normal Admin functions. We can't change the Administrators password because several people need to know it it and we would have to make too many changes to services which use it. Anyway, it doesn't achieve the objective

Is it possible to create SuperAdmin so that it can manage the user folders, keep Administrator out but allow Administrator enough permission to copy the protected folders to other volumes by Xcopy (its another way we do on-line backups). I thought of creating SuperAdmin as an administrator and then use it to modify some properties of Administrator. Or, as SuperAdmin, take ownership of the folders and grant permission to the user - but exclude Administrator. BTW its Windows 2000 Advanced

 

[Danny Sanders]

No.

You are going about it wrong. That is what the Administrator account is for.
If you choose to use your administrator account like a regular user account
and share that account info with non admins, your going to end up with not
enough security on your domain, like you have now.

Your users should either be regular users, power users, or regular domain
users with Admin privileges on the local computer. One user should be the
Admin and no one else should have that account info.

The "right" way to remedy this would be to change the admin password and
keep it from the users. Users at most should have local admin rights not
domain admin rights. Admin duties should be done by the admin. The
Administrator should be trusted.

Not sure what your objective is but "super Admin" is not the answer. You are
trying to make everyone Domain admins and "create" a an account to
compensate for the security leak that making *anyone* a domain admin
creates.
I have yet to find a need to make users domain admins. Local admin, maybe.

As an administrator of the domain the user can virtually do what they want
as far as taking ownership of files, adding themselves to groups, change
network settings that can mess up the domain communication. changing
permissions on files and folders..etc..

hth
DDS W 2k MVP MCSE

We have the standard Administrator Account that created the domain. I want

to create a SuperAdmin so that I can protect some user folders. The user
obviously wants full control and trusts the SuperAdmin to have access - but
wants to exclude Administrator from peeking. Too many people know the
Administrator Password and will continue to use it for normal Admin
functions. We can't change the Administrators password because several
people need to know it it and we would have to make too many changes to
services which use it. Anyway, it doesn't achieve the objective.

Is it possible to create SuperAdmin so that it can manage the user

folders, keep Administrator out but allow Administrator enough permission to
copy the protected folders to other volumes by Xcopy (its another way we do
on-line backups). I thought of creating SuperAdmin as an administrator and
then use it to modify some properties of Administrator. Or, as SuperAdmin,
take ownership of the folders and grant permission to the user - but exclude
Administrator. BTW its Windows 2000 Advanced

 

[George Hester]

Yes. As a Domain Adminstrator you have all the permissions you need. If you choose to allow some users to have domain admin rights then what is to keep you from giving some users super admin rights? The trouble is the admin heirarchy has to stop somewhere and it stops at Domain Administrator. So set the admin\user rights with the users\groups that you have but work from Domain Admin down; ie

SuperAdmin <= Domain Administrator (Hard Coded).