Protected Administrative Account

  • Thread starter Thread starter Kelly
  • Start date Start date
K

Kelly

Is there any way to configure a 'master' administrative account that
cannot be locked out by, let's say, a disgruntled member of an IT
team. This account would be protected/isolated (A restricted OU?) and
the password held by a very select few. (Windows 2000/3 Active
Directory environment)

The main worry is that someone could lock out accounts or change
passwords to the degree of crippling a network. I have just started
looking into this and any tips would be fantastic.

Thanks in advance.

Kelly
 
Kelly said:
Is there any way to configure a 'master' administrative account that
cannot be locked out by, let's say, a disgruntled member of an IT
team. This account would be protected/isolated (A restricted OU?) and
the password held by a very select few. (Windows 2000/3 Active
Directory environment)
The main worry is that someone could lock out accounts or change
passwords to the degree of crippling a network. I have just started
looking into this and any tips would be fantastic.
Click to expand...
Becous account policy can be placed only at the domain level this is not
an easy thing to do. In my opinion the best practice in the case of
such super admin account is top-lecel "root domain" in which only
enteprise admins accounts are held and specific password and account
lockout policy is deployed.
 
Well, if the lockout policy is set, the only account that can't be locked out is
the built in administrator account. It will lock out for network access but not
local console. As for not allowing its passwords to be changed, that is a tough
one to do, if the admins aren't very bright you can use a tool I sell on my web
site that will prevent anyone from doing an admin set on the ID but that won't
help if the person knows the process by which it works.

An alternative would be to have a service running somewhere that constantly sets
that password to a known value, however, again that can be worked around.

Another alternative is to dork with the AD ACLs but again, that can be worked
around.

You really need to trust your admins and if you don't, take away their rights.
 
Back
Top