Questions

how can a user change password of administrator

+
0 Votes
Locked

how can a user change password of administrator

santoshlipi
i just installed a win2008 server and configured everything as required n made it live. After 2 hours i came to know that administrator's password has been changed by a user. To verify that i loged on the DC as a user n tried to reset password of the administrator and i successed.

Please let me know where the actual bug is ? Usualy user can not reset password.

Thanks.
  • +
    0 Votes
    Mehul Bhai

    And reprimand him. First of all how the user knew the administrator password? This has to be the exclusive domain of the System Administrator and related people like Support Staff and immediate Boss as per your company policy.
    You changed the administrator password by login as a user that means the user has administrative previleges for the Domain.
    Some thing is gravely wrong in your domain setup. Rectify it, otherwise you will have to run arround very much sorting out problems.

    +
    0 Votes
    santoshlipi

    that user don't have administrator previleges. he is allowed to log on locally to the DC for certain purpose. so for test purpose i newly created a user and allowed him to log on localy. After successful login to the dc i went to das.msc and tried to reset password of administrator n surprised to know that the user can change.

    +
    0 Votes
    Mehul Bhai

    For what purpose you are allowing a USER to log on locally to the DC? I have never tried what you have done as we have never allowed such previleges.

    +
    0 Votes
    cmiller5400

    That should NEVER happen...

    +
    0 Votes
    Mehul Bhai

    I mean to say the same thing as "cmiller5400".

    +
    0 Votes
    mr_t_wright

    Make sure you don't have domain users in the "admin group"...

    +
    0 Votes
    tintoman

    I reckon some squid brain has dumped all the users in the Administrators group

    +
    0 Votes
    philldmc

    I might be mistaken, but I thought by default the DC policy was to deny non administrator accounts to log onto the DC.

    If I'm not mistaken this policy is automatic so it has to be turn off for a standard user to log in. Even if they could log in they should not have ability to change passwords to the admi account. Unless that user has admin rights.

    It sounds like there are other security issues going on. My first step would be to deny log in to non admin, very other accounts don't have admin privledges, and then change admin pass. Just remember what you changed it to.

    +
    0 Votes
    philldmc

    By chance did you add Terminal services to the DC? If you did I'm not sure why..but you might want to check your policy on the terminal services..

    +
    0 Votes
    cmiller5400

    Be VERY careful assigning deny permissions. Remember they take precedence over all other permissions. So, deny an admin group or the administrator or the group "Everyone" the permission to login and you have a whole "charlie foxtrot" to try and fix.

    +
    0 Votes
    David.Flechler

    I usually disable my Administrator account and setup a user account that I make the Admin account. No one else will have Admin privileges for the server. No the client machines all have a common Admin account much like the server but I also allow another Network admin group privileges to the client computers in case desktop support is necessary.

    On another note, I would terminate the user that changed the Admin password. He is obviously too nosy and is a risk to the network. You don't need those kind of people lurking around in your servers. If he found that he could change the password and reported that he thought that it was a risk, I might feel different, but he purposely tried to lock out the Admin account, and that ain't cool.

    +
    0 Votes
    cmiller5400

    Why not rename the existing administrator account and create a bogus account titled administrator and assign it no rights, disabled and an absurdly long password? That way you are not messing too much with a built in account.

  • +
    0 Votes
    Mehul Bhai

    And reprimand him. First of all how the user knew the administrator password? This has to be the exclusive domain of the System Administrator and related people like Support Staff and immediate Boss as per your company policy.
    You changed the administrator password by login as a user that means the user has administrative previleges for the Domain.
    Some thing is gravely wrong in your domain setup. Rectify it, otherwise you will have to run arround very much sorting out problems.

    +
    0 Votes
    santoshlipi

    that user don't have administrator previleges. he is allowed to log on locally to the DC for certain purpose. so for test purpose i newly created a user and allowed him to log on localy. After successful login to the dc i went to das.msc and tried to reset password of administrator n surprised to know that the user can change.

    +
    0 Votes
    Mehul Bhai

    For what purpose you are allowing a USER to log on locally to the DC? I have never tried what you have done as we have never allowed such previleges.

    +
    0 Votes
    cmiller5400

    That should NEVER happen...

    +
    0 Votes
    Mehul Bhai

    I mean to say the same thing as "cmiller5400".

    +
    0 Votes
    mr_t_wright

    Make sure you don't have domain users in the "admin group"...

    +
    0 Votes
    tintoman

    I reckon some squid brain has dumped all the users in the Administrators group

    +
    0 Votes
    philldmc

    I might be mistaken, but I thought by default the DC policy was to deny non administrator accounts to log onto the DC.

    If I'm not mistaken this policy is automatic so it has to be turn off for a standard user to log in. Even if they could log in they should not have ability to change passwords to the admi account. Unless that user has admin rights.

    It sounds like there are other security issues going on. My first step would be to deny log in to non admin, very other accounts don't have admin privledges, and then change admin pass. Just remember what you changed it to.

    +
    0 Votes
    philldmc

    By chance did you add Terminal services to the DC? If you did I'm not sure why..but you might want to check your policy on the terminal services..

    +
    0 Votes
    cmiller5400

    Be VERY careful assigning deny permissions. Remember they take precedence over all other permissions. So, deny an admin group or the administrator or the group "Everyone" the permission to login and you have a whole "charlie foxtrot" to try and fix.

    +
    0 Votes
    David.Flechler

    I usually disable my Administrator account and setup a user account that I make the Admin account. No one else will have Admin privileges for the server. No the client machines all have a common Admin account much like the server but I also allow another Network admin group privileges to the client computers in case desktop support is necessary.

    On another note, I would terminate the user that changed the Admin password. He is obviously too nosy and is a risk to the network. You don't need those kind of people lurking around in your servers. If he found that he could change the password and reported that he thought that it was a risk, I might feel different, but he purposely tried to lock out the Admin account, and that ain't cool.

    +
    0 Votes
    cmiller5400

    Why not rename the existing administrator account and create a bogus account titled administrator and assign it no rights, disabled and an absurdly long password? That way you are not messing too much with a built in account.