Question
-
CreatorTopic
-
July 7, 2010 at 12:16 am #2212553
how can a user change password of administrator
Lockedby santoshlipi · about 13 years, 9 months ago
i just installed a win2008 server and configured everything as required n made it live. After 2 hours i came to know that administrator’s password has been changed by a user. To verify that i loged on the DC as a user n tried to reset password of the administrator and i successed.
Please let me know where the actual bug is ? Usualy user can not reset password.
Thanks.
Topic is locked -
CreatorTopic
All Answers
-
AuthorReplies
-
-
July 7, 2010 at 12:16 am #2868082
Clarifications
by santoshlipi · about 13 years, 9 months ago
In reply to how can a user change password of administrator
Clarifications
-
July 7, 2010 at 5:02 am #2868058
You have to ask that user.
by 93961 · about 13 years, 9 months ago
In reply to how can a user change password of administrator
And reprimand him. First of all how the user knew the administrator password? This has to be the exclusive domain of the System Administrator and related people like Support Staff and immediate Boss as per your company policy.
You changed the administrator password by login as a user that means the user has administrative previleges for the Domain.
Some thing is gravely wrong in your domain setup. Rectify it, otherwise you will have to run arround very much sorting out problems.-
July 7, 2010 at 5:18 am #2868055
surprise how can the user change password of admin
by santoshlipi · about 13 years, 9 months ago
In reply to You have to ask that user.
that user don’t have administrator previleges. he is allowed to log on locally to the DC for certain purpose. so for test purpose i newly created a user and allowed him to log on localy. After successful login to the dc i went to das.msc and tried to reset password of administrator n surprised to know that the user can change.
-
July 7, 2010 at 5:25 am #2868052
log on locally to the DC!!!???
by 93961 · about 13 years, 9 months ago
In reply to surprise how can the user change password of admin
For what purpose you are allowing a USER to log on locally to the DC? I have never tried what you have done as we have never allowed such previleges.
-
July 7, 2010 at 1:28 pm #2855255
WHY is a USER logging into a DC?
by cmiller5400 · about 13 years, 9 months ago
In reply to surprise how can the user change password of admin
That should NEVER happen…
-
July 7, 2010 at 10:06 pm #2855196
Same
by 93961 · about 13 years, 9 months ago
In reply to WHY is a USER logging into a DC?
I mean to say the same thing as “cmiller5400”.
-
-
-
July 7, 2010 at 10:35 am #2855275
Check privileges
by mr_t_wright · about 13 years, 9 months ago
In reply to how can a user change password of administrator
Make sure you don’t have domain users in the “admin group”…
-
July 15, 2010 at 9:35 am #2857223
I’m with you here
by tintoman · about 13 years, 9 months ago
In reply to Check privileges
I reckon some squid brain has dumped all the users in the Administrators group
-
-
July 7, 2010 at 5:08 pm #2855228
denied login?
by philldmc · about 13 years, 9 months ago
In reply to how can a user change password of administrator
I might be mistaken, but I thought by default the DC policy was to deny non administrator accounts to log onto the DC.
If I’m not mistaken this policy is automatic so it has to be turn off for a standard user to log in. Even if they could log in they should not have ability to change passwords to the admi account. Unless that user has admin rights.
It sounds like there are other security issues going on. My first step would be to deny log in to non admin, very other accounts don’t have admin privledges, and then change admin pass. Just remember what you changed it to.
-
July 7, 2010 at 5:11 pm #2855226
Just thinking RDP
by philldmc · about 13 years, 9 months ago
In reply to denied login?
By chance did you add Terminal services to the DC? If you did I’m not sure why..but you might want to check your policy on the terminal services..
-
July 8, 2010 at 5:21 am #2855178
Just fair warning…
by cmiller5400 · about 13 years, 9 months ago
In reply to denied login?
Be VERY careful assigning deny permissions. Remember they take precedence over all other permissions. So, deny an admin group or the administrator or the group “Everyone” the permission to login and you have a whole “charlie foxtrot” to try and fix.
-
July 15, 2010 at 8:00 am #2857258
It’s got to be a privilege problem…
by david.flechler · about 13 years, 9 months ago
In reply to Just fair warning…
I usually disable my Administrator account and setup a user account that I make the Admin account. No one else will have Admin privileges for the server. No the client machines all have a common Admin account much like the server but I also allow another Network admin group privileges to the client computers in case desktop support is necessary.
On another note, I would terminate the user that changed the Admin password. He is obviously too nosy and is a risk to the network. You don’t need those kind of people lurking around in your servers. If he found that he could change the password and reported that he thought that it was a risk, I might feel different, but he purposely tried to lock out the Admin account, and that ain’t cool.
-
July 15, 2010 at 10:53 am #2857209
Why not…
by cmiller5400 · about 13 years, 9 months ago
In reply to It’s got to be a privilege problem…
Why not rename the existing administrator account and create a bogus account titled administrator and assign it no rights, disabled and an absurdly long password? That way you are not messing too much with a built in account.
-
-
-
-
AuthorReplies