0

We have two administrators who are responsible for maintaining a machine running Windows 10. Both administrators need to have the ability to install any software on the machine (including software that requires admin privileges) and make system changes.

However, the account of admin A (the "super-administrator", if you will) must be off limits to admin B.

By default, windows allows administrators to change passwords of any other user including another admin user. Hence nothing stops admin B from removing/changing the password of Admin A, and signing into his account that way.

If we create 2 standard-user accounts, the admins will be unable to take actions that require admin privileges. If we simply create 2 admin accounts, admin B will have the ability to access the account of Admin A.

Having said that, what is best way of creating this type of set up?

For example, is there a way to create an admin user that has access to most admin privileges, but not the privilege of modifying other user accounts?

Note that in the event of a breach, it will not be sufficient to identify that admin B has illegally signed into the account of admin A, as there would be no way to "take back" stolen data. Hence our aim is to prevent this situation from occurring in the first place.

Improve this question
4
  • 2
    Use Active Directory. No other way, really.
    – Daniel B
    Commented Jan 22 at 9:52
  • 2
    What you want is not possible.
    – DavidPostill
    Commented Jan 22 at 9:52
  • 2 options really. 1. Use Active Directory. 2. Tell them that they are not allowed to change nor login to the account of the other person, and that they'll lose their job if it happens anyway.
    – LPChip
    Commented Jan 22 at 10:29
  • “each will be able to access the other.” - Only if they Reset the password. Furthermore, you can make 2FA required easily enough, but again an Administrator could reconfigure the other account. Of course that’s when you get into a situation of just firing whoever does that.
    – Ramhound
    Commented Jan 22 at 12:29

1 Answer 1

Reset to default
0

Two legitimate concerns that you may want to address are:

  • Ability to audit who made changes.
  • Privilege seperation.

An approach to solve this may be to create two accounts for each admin (alice + alice_admin and bob + bob_admin) this would allow both admins to use there own accounts for every day work then use their privileged accounts when a particular task requires the higher level of access. Keeping all four of these accounts in ActiveDirectory would mean that they are available on all machines.

Hence nothing stops one admin from removing/changing the password of the other admin, and signing into his account that way.

True, however most systems hash passwords, hence it is ... "more difficult" ... to reset the passwords back to the original value, so it is generally obvious that someone has messed with the passwords.

What I am hinting at here is that you can provide some protection against accidental change / provide an audit history about what happened in such cases.

However it is almost impossible to prevent someone with both Administrative access and malicious intent from covering their tracks. If you have such a situation in your company you should probably consider this as a HR issue and address it as such.

Finally as a practical matter, you may need to fire one (or both) of the admins at some point, hence access has to be setup so that either of the admins can remove the others access entirely, if/when that occurs.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .