General discussion


Administrator Password - to tell or not to tell?

By fruitbat83 ·
I am the only IT person in our organisation (25 staff). Obviously, I know the Administrator password but no one else does. In an emergency where someone had to use the Administrator password (for example to gain access to the Server) I have placed the password in a sealed envelope in the Finance fireproof Safe.

I am currently under pressure by the Head of Finance (who is my immediate boss) to tell someone else the Administrator password. I maintain that as it is accessible in the Safe I need not tell someone the password.

I am resisting because all the PCs are locked down (users cannot install anything, change anything etc) and if someone knew the Administrator password, they could install whatever they damn well felt like, which is why the machines are locked down. I want to know what people want installing and why they feel they need it installing.

My boss wishes me to inform just one member of the Senior Managers who "knows about IT". I know this particular person and feel that armed with the Admin Password she will seek to install software without my agreement, as happened before - she found the old password out and was secretly installing software which I knew nothing about. When I found out she knew the password, I changed it and didn't tell her, but placed it in the safe.

I feel that as we're forbidden to tell each other our own logon passwords by Company Policy I shouldn't be forced to hand out the Admin password willy-nilly, when using it can have massive implications on the system. If I agree to tell this one person, someone else might come along with a gripe that they also need the password and before I know it everyone will be using it.
I feel that there is no solid reason for this lady to have the password until she really, really needs it, and then if I'm not there to assist, she can get it from the safe - why does she need to know it all the time?

My boss argues I'm being a "control freak" about this - but it's me that will have to fix the PCs when one of our more dopey employees installs something riddled with spyware.

What do you think? What are your own policies regarding the administrator password in your organisation?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Absolutely Not

by cmiller5400 In reply to Administrator Password - ...

What you have done is acceptable. If they need the password for some GOOD reason, it is available. That password should not be spread around or told to someone who is not administering the network.

Collapse -

I totally agree! <NT>

by The Scummy One In reply to Absolutely Not
Collapse -

Do not give it out under any circumstances.... unless.

by Locrian_Lyric In reply to Administrator Password - ...

You go the following route:

Bring your boss a document that says.

"I hereby accept all responsibility for any damage that giving out the Admin password to (name of schnook). I understand that in so doing, I am exposing the company to risks from spyware, malware, trojans, viruses, and hacker threats. I understand that (name of schnook) has had this information in the past and has used it to circumvent existing IT policy and understand that (schnook) is likely to do it again. Therefore, I accept full responsibility and will hold harmless (fruitbat83) from any disciplinary action should any of the above risks, and any unforseen ones, come to fruition"

See if he signs it.

Collapse -

While that is cute

by jdclyde In reply to Do not give it out under ...

it could backfire.

I would bring this up in a meeting with the owner and all of the managers.

Make damn sure that the "no unauthorized software" is COMPANY policy and not just something you decided.

Ask them to explain why your having the password readily available upon an emergency is not sufficient and have them supply an example of why this particular user should know the password.

I would at that time point out that she has knowingly abused that information before.

Of course, if this all comes down to it being YOUR policy about locking the systems down and no unauthorized software, you might be showing them that you are the IT Nazi, and they will work to replace you ASAP. I would if that was the case.

Collapse -

Company Policy

by fruitbat83 In reply to While that is cute

We had a problem in the past with users installing stuff themselves and we ended up in a right mess.

It was agreed at Board level (in the Use of ICT Policy) that the machines be locked down mainly because it was taking up so much time sorting the PCs out, loss of productivity etc.

Collapse -


by irene-martini In reply to While that is cute


Collapse -

I hate it when my cat walks on the keyboard.

by CharlieSpencer In reply to nfgngfmmsdgkfgbdsbjsdbger ...
Collapse -

Rename the Admin account.

by RFink In reply to Administrator Password - ...

Create a dummy account called "Administrator" with no rights. Give out the password to that account (under duress of course) The real admin account remains hidden. If someone tries to do something behind your back, he won't be able to.

If a situation should arise where the true admin password is needed the account and password is in the safe.

BTW, who controls the Finance safe? I would think that the "Head of Finance" could help himself whenever he wanted it.

Collapse -

You are in the right. I like Locrian_Lyric's answer too

by IC-IT In reply to Administrator Password - ...

We do the same thing here. I am the only one locally that has the admin passwords (Domain Admins have access of course).
All my server and workstation passwords are in a sealed envelope and the safe is accessable only by a few folks. Anytime the safe is open the envelope is checked and initials are kept on who opened and secured the safe (time, date).
The only reason for her needing to know in a none emergency situation is to circumvent policies.

Collapse -

Separate admin account for her.

by CharlieSpencer In reply to Administrator Password - ...

Give the troublesome user a second account for network administration. Put this account in the Domain Administrators global group. Give this account a password different from the p/w for the Admin account. This will allow her to work on the network as necessary, and any changes she makes will be identified with her admin username and distinguishable from changes you make as Administrator. Make sure she knows this you'll be able to tell who did what. (Okay, so you'd have to turn auditing on for this to actually work, but they don't need to know that.)

Now remove the "Domain Admins" global group from the local Administrators group on her machine, and add your own. Now she'll have domain admin privileges in an emergency but be unable to putz up her own machine. You can still service hers as needed.

Everyone in our department that needs domain admin access has an account separate from both the Administrator account and from their 'regular user' account.

Related Discussions

Related Forums