Disable Administrator Login in a W2K Domain

C

carlosvillalonga

HI, I have about 20 W2K Pro workstations and 5 XP pro workstations that
log in to a W2K Server Domain Controller.
I am looking to resctrict and possibly disable the option of users to
log in by using the Administrator account in the domain given that I
have created a different type of user (power user)by the name of
"agent" to log in every workstation.
I know that by disabling the administrator account in every workstation
locally, only restricts the administrator account not to log in the
machines locally but they still have login access to the domain by
using the administrator account.
How do I do this? Should I create a group policy that would restrict
this?
Thanks
Carlos.
 
M

Miha Pihler [MVP]

Hi Carlos,

My first question would be how do users know password for domain
administrator account? :) As long as they know that you lost your battle if
I may call it that. As long as they have this information they can always
bypass any setting that you throw at them.

My second question is where would you like to limit their logon? To domain
controllers? That is easy. Make sure that they don't know password of domain
administrator account.
If you would like to limit which user can logon to local computers -- yes
you can use policy. Look for policies called "Allow log on locally" under
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\

Only groups or users that you will enter here will be able to log on to the
computer!

http://www.microsoft.com/technet/pr...elp/15744f9c-e188-4fac-ac60-9380a58b30ae.mspx

Note again that even if you set this policy and users have domain
administrator password they will be able to change any policy back to what
they like.

Note: be careful with policy "Deny log on locally" since it has priority
over Allow... If you e.g. enter Administrators _group_ in Allow log on local
and "Domain Users" group under Deny log on locally -- no one will be able to
log on to the computers under this policy. Even Domain Administrators are
members of Domain Users group and therefore will be denied access...

These policies exist for Windows 2000, XP and 2003 Server...
 
R

Roger Abell [MVP]

Simply put, only let each person know the passwords of the
accounts that they should be using.
 
W

Wolf Kirchmeir

Roger said:
Simply put, only let each person know the passwords of the
accounts that they should be using.
Click to expand...


IOW, change the admin account password, and don't tell anybody what it is.
 
R

Roger Abell [MVP]

Wolf Kirchmeir said:
IOW, change the admin account password, and don't tell anybody what it is.
Click to expand...

Yes, an that means use different ones on different machines.
 
W

Wolf Kirchmeir

Roger said:
Yes, an that means use different ones on different machines.
Click to expand...

Which is tedious, granted, but if that aspect of security is that
important, it needs to be done.** Unless you can write a script that
will do it for you, from the server. Is that possible?

Footnote:
**In my last couple years as HS teacher, I was in charge of the
computing dept, and we went to great lengths to reduce the possibility
of students hacking into the school's network. We password protected
every machine's bootup, one at a time. That was in W3.x days, with
Novell 4. It worked, for a while. The worse problem was students handing
out their account passwords to their friends. It took them a while to
realise that some bloody-minded punks would cheerfully mash their
directories.
 
S

Steven L Umbach

As everyone has already said make sure that they do not know the password
for any domain level administrator account. Also use Active Directory Users
and Computers to check the membership of the built in administrators group
for the domain and also for any group that are members of the administrators
group which by default would be domain admins and enterprise admins.
Possibly someone has added domain users or everyone to one of those groups.
You can use Group Policy "Restricted Groups" to manage those groups as shown
in the link below. To restrict domain level group membership you would want
to configure it on the domain controller container via Group Policy. You
also should have auditing of account management enabled in Domain Controller
Security Policy so you can review the security logs for changes in
membership to those groups. Also keep in mind that users can use keyboard
loggers, etc to capture your domain level administrator account credentials
if you use it to logon to a domain computer. Best practice is to use a
regular user account for the domain that is in the local administrators
group on the domain computers to manage them and NOT use the same password
as you do for your domain level administrator account. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Which group policy to rename Administrator account? 8
Administrator Unable to Logon Locally? 4
Logon local to W2k workstation using domain account 9
Domain Admins can't manage computers 3
Forbid Change domain 2
Methods for Recovering Administrator Accounts 2
system from domain is making many attempts to access the administr 1
XP machines lockout user accounts when security log is full. 1

Top