Administrator Account - Windows 2003. Want to make it unchangable!

By hwaynos ·

I work for a company that has two locations, one here in the states and one in China. We have been having problems with some users and the network over in China. We want to take complete control of their network from the states.

One thing that I need to do is make it so I always have Administrator control over their domain. Can anyone help me think of a way to make sure that they do not have the ability to change anything having to do with the Administrator user.

They have a basic "helpdesk" kindof guy over there that run their IT... but, he doesn't do too much. I want to be able to make him an account where he can make permission changes and stuff like that... but, I don't want any of the users over there to be able to make any changes to any user. I want to have that ability completely in my hands.

I am not too sure how to do this in Windows 2003. Can anyone please give me some recommendations or something?

Always greatly appreciated.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Delegation of Authority

by 1bn0 In reply to Administrator Account - W ...

Found this article that gives a basic outline.

Be carefull! Maybe someone else here can give you better advise or refer you to better information.

Basically, Delegation of authority means assigning permission to a group to perform speficied actions. e.g unlock user account, reset user password, add user to AD, add computer to AD, etc.

Then add the users you want to have these abilities to the group.

Typically a Help Desk tech would be delegated authority for password resets and unlocking accounts. This way the Help Desk does not have authority to add users ro computers to the directory.

Collapse -

Plan for Administrative control

by IC-IT In reply to Administrator Account - W ...

You need to be the Enterprise Administrator. It may be wise to insure someone else also has access to that accounts password in case of an emergency. Plan on who you will allow to have Domain Admin status and as was shown above, delegate other duties.

Related Discussions

Related Forums