TechRepublic|Forums|Networks

Networks

Question

  • Creator
    Topic
  • July 7, 2010 at 12:16 am #2212553

    how can a user change password of administrator

    Locked

    by santoshlipi · about 13 years, 9 months ago

    i just installed a win2008 server and configured everything as required n made it live. After 2 hours i came to know that administrator’s password has been changed by a user. To verify that i loged on the DC as a user n tried to reset password of the administrator and i successed.

    Please let me know where the actual bug is ? Usualy user can not reset password.

    Thanks.

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Answers

  • Author
    Replies
    • July 7, 2010 at 12:16 am #2868082

      Clarifications

      by santoshlipi · about 13 years, 9 months ago

      In reply to how can a user change password of administrator

      Clarifications

    • July 7, 2010 at 5:02 am #2868058

      You have to ask that user.

      by 93961 · about 13 years, 9 months ago

      In reply to how can a user change password of administrator

      And reprimand him. First of all how the user knew the administrator password? This has to be the exclusive domain of the System Administrator and related people like Support Staff and immediate Boss as per your company policy.
      You changed the administrator password by login as a user that means the user has administrative previleges for the Domain.
      Some thing is gravely wrong in your domain setup. Rectify it, otherwise you will have to run arround very much sorting out problems.

      • July 7, 2010 at 5:18 am #2868055

        surprise how can the user change password of admin

        by santoshlipi · about 13 years, 9 months ago

        In reply to You have to ask that user.

        that user don’t have administrator previleges. he is allowed to log on locally to the DC for certain purpose. so for test purpose i newly created a user and allowed him to log on localy. After successful login to the dc i went to das.msc and tried to reset password of administrator n surprised to know that the user can change.

    • July 7, 2010 at 10:35 am #2855275

      Check privileges

      by mr_t_wright · about 13 years, 9 months ago

      In reply to how can a user change password of administrator

      Make sure you don’t have domain users in the “admin group”…

      • July 15, 2010 at 9:35 am #2857223

        I’m with you here

        by tintoman · about 13 years, 9 months ago

        In reply to Check privileges

        I reckon some squid brain has dumped all the users in the Administrators group

    • July 7, 2010 at 5:08 pm #2855228

      denied login?

      by philldmc · about 13 years, 9 months ago

      In reply to how can a user change password of administrator

      I might be mistaken, but I thought by default the DC policy was to deny non administrator accounts to log onto the DC.

      If I’m not mistaken this policy is automatic so it has to be turn off for a standard user to log in. Even if they could log in they should not have ability to change passwords to the admi account. Unless that user has admin rights.

      It sounds like there are other security issues going on. My first step would be to deny log in to non admin, very other accounts don’t have admin privledges, and then change admin pass. Just remember what you changed it to.

      • July 7, 2010 at 5:11 pm #2855226

        Just thinking RDP

        by philldmc · about 13 years, 9 months ago

        In reply to denied login?

        By chance did you add Terminal services to the DC? If you did I’m not sure why..but you might want to check your policy on the terminal services..

      • July 8, 2010 at 5:21 am #2855178

        Just fair warning…

        by cmiller5400 · about 13 years, 9 months ago

        In reply to denied login?

        Be VERY careful assigning deny permissions. Remember they take precedence over all other permissions. So, deny an admin group or the administrator or the group “Everyone” the permission to login and you have a whole “charlie foxtrot” to try and fix.

        • July 15, 2010 at 8:00 am #2857258

          It’s got to be a privilege problem…

          by david.flechler · about 13 years, 9 months ago

          In reply to Just fair warning…

          I usually disable my Administrator account and setup a user account that I make the Admin account. No one else will have Admin privileges for the server. No the client machines all have a common Admin account much like the server but I also allow another Network admin group privileges to the client computers in case desktop support is necessary.

          On another note, I would terminate the user that changed the Admin password. He is obviously too nosy and is a risk to the network. You don’t need those kind of people lurking around in your servers. If he found that he could change the password and reported that he thought that it was a risk, I might feel different, but he purposely tried to lock out the Admin account, and that ain’t cool.

        • July 15, 2010 at 10:53 am #2857209

          Why not…

          by cmiller5400 · about 13 years, 9 months ago

          In reply to It’s got to be a privilege problem…

          Why not rename the existing administrator account and create a bogus account titled administrator and assign it no rights, disabled and an absurdly long password? That way you are not messing too much with a built in account.

  • Author
    Replies
Viewing 3 reply threads