Invisible Admin account

[cwjudd]

How can I create a local admin account with all administrator privildges that
cannot be seen or viewed by others. The reason for this is that our company
insists on issuing all users of all computers admin priviledges so that they
can install applications as needed, however many of these users like to
change the administrator password on the local machines when they get their
machines or just before they turn them into us when they are leaving the
company, making it impossible for us to get into the machine and pull data
off of it.

We run a Novell network, however we use a standard W2K Professional operating
system as our client platform. It would be nice if we could create local
Adminstrator account that another user with administrator access could not
change the password for, or make this account invisible to all other users.

Any suggestions would be greatly appreciated and welcomed.

 

[Danny Sanders]

Adminstrator account that another user with administrator access could not

change the password for, or make this account invisible to all other
users.

The problem with that is anything you can do as an admin they, as an admin,
can undo.

What is the reason (other than company policy) that the users have to be
administrator?

I see two ways to remedy this, the first is obvious, remove their admin
privileges.

The other way would be a written policy defining what they can and can't do
with the admin account. Have your users sign off on it. For this to work,
management would have to be behind you. Just explain to management how the
policy of putting your users in the admin group, they can circumvent
security policies put in place by you.

hth
DDS W 2k MVP MCSE

 

[Bill Judd]

The reason why they give all local users admin priviledges as opposed to just
power user priviledges is taht we have a large amount of users that travel
extensively and are remote users. We have found that by only giving these
users power user rights, they have issues with the installation of some
applications, upgrades, and hardware when it is required. The only down side
that we have found to giving them administrator access is that they have the
rights if they can see the account to change the password for that account.
If there was a way to create an invisible account that they could not see,
then they could not change the password, thus creating a back door into the
machine if we needed it in the future. The only thing that I don't want the
users to be able to do is to change the Administrator password on the local
machine.

Adminstrator account that another user with administrator access could not
change the password for, or make this account invisible to all other
users.

The problem with that is anything you can do as an admin they, as an admin,
can undo.

What is the reason (other than company policy) that the users have to be
administrator?

I see two ways to remedy this, the first is obvious, remove their admin
privileges.

The other way would be a written policy defining what they can and can't do
with the admin account. Have your users sign off on it. For this to work,
management would have to be behind you. Just explain to management how the
policy of putting your users in the admin group, they can circumvent
security policies put in place by you.

hth
DDS W 2k MVP MCSE

How can I create a local admin account with all administrator privildges
that

[quoted text clipped - 17 lines]

Any suggestions would be greatly appreciated and welcomed.

 

[Danny Sanders]

If they are admin they can change the password.

hth
DDS W 2k MVP MCSE

The reason why they give all local users admin priviledges as opposed to
just
power user priviledges is taht we have a large amount of users that travel
extensively and are remote users. We have found that by only giving these
users power user rights, they have issues with the installation of some
applications, upgrades, and hardware when it is required. The only down
side
that we have found to giving them administrator access is that they have
the
rights if they can see the account to change the password for that
account.
If there was a way to create an invisible account that they could not see,
then they could not change the password, thus creating a back door into
the
machine if we needed it in the future. The only thing that I don't want
the
users to be able to do is to change the Administrator password on the
local
machine.

Adminstrator account that another user with administrator access could
not
change the password for, or make this account invisible to all other
users.

The problem with that is anything you can do as an admin they, as an
admin,
can undo.

What is the reason (other than company policy) that the users have to be
administrator?

I see two ways to remedy this, the first is obvious, remove their admin
privileges.

The other way would be a written policy defining what they can and can't
do
with the admin account. Have your users sign off on it. For this to work,
management would have to be behind you. Just explain to management how
the
policy of putting your users in the admin group, they can circumvent
security policies put in place by you.

hth
DDS W 2k MVP MCSE

How can I create a local admin account with all administrator privildges
that

[quoted text clipped - 17 lines]

Any suggestions would be greatly appreciated and welcomed.

 

[Roger Abell [MVP]]

I doubt you will find any joy along the lines you are considering.
As Danny stated, if they are admin they can undo anything you
have set in place.

If you had a domain then you could enforce some local config
settings in a way that could not be changed locally (like Domain
Admins in Administrators, or specific accounts log in with smart
card only). However such as these are not options for you.

Short of hacking your machines up with your own rootkit-like
functionality, they will as admins be able to see all accounts that
are defined and adjust any aspect of those accounts.