Disallow Domain Administrator logon from client

[Guest]

Is there a way to disallow the Domain administrator from logging in to the
network from a Client (XP) machine?

Scenario is that a user might know the administrator account password and
because some our systems use this password we don't want to change the
password if we can help it.

 

[David H. Lipman]

From: "Haggis" <[email protected]>

| Is there a way to disallow the Domain administrator from logging in to the
| network from a Client (XP) machine?
|
| Scenario is that a user might know the administrator account password and
| because some our systems use this password we don't want to change the
| password if we can help it.

If it was a capability, and I doubt there is, think about how counter productive such a
Policy would be !

 

[Lanwench [MVP - Exchange]]

Is there a way to disallow the Domain administrator from logging in to the
network from a Client (XP) machine?

Scenario is that a user might know the administrator account password and
because some our systems use this password we don't want to change the
password if we can help it.

Well, I guess you could remove domain admins from the local admins group, or
use group policy, but that's a Really Bad Idea. And wouldn't be foolproof
anyway. But - how would a user know the domain admin credentials? It isn't
"administrator/password", is it?

Also - what systems use the domain admin credentials? Change that - it's bad
practice. Even for daily admin, nobody should be using the domain admin
account. Set up those who need to do more than just use the network with
separate accounts for 'godlike' powers, and delegate settings in AD.