0

I have 3 user accounts. Two admin user accounts and one standard user. I don't want any admin account to be able to change the password of the other admin account. In short I want all the 2 admin accounts to be independent of each other and any of them can't change passwords of other. Is there any rule in the group policy that I can set to enforce this?

Now in the control panel if I login with the admin account and see the user accounts, it shows this option "Manage another account" through which I can change the other admin account password. I should not be able to do that. Please help.

Manage another account

Improve this question
4
  • AFAIK, admin user gets admin rights.
    – Toto
    Commented Apr 12 at 10:03
  • @Toto depends. local admin gets local admin rights. Local admin cannot do domain admin stuff. ;)
    – LPChip
    Commented Apr 12 at 10:13
  • @LPChip: You're right, my bad ;(
    – Toto
    Commented Apr 12 at 10:24
  • You havent said that multiple users are involved. In which case, smack you hand every time it wanders in change the password section.
    – Rohit Gupta
    Commented Apr 12 at 14:10

1 Answer 1

Reset to default
4

It has already been said in another answer, but to clarify things, I've decided to still write an answer.

Yes, A user that is added to the local administrators group, gets full control on that computer, and they can do anything on that computer, including changing other local users.

However, notice how I write local users.

While local admins can do anything to a local computer, they cannot make changes to domain accounts, as that requires access to the domain controller.

If you want to prevent local admins from changing other users password, you will need to use a domain controller, add the computer to the domain and migrate the user accounts to the domain controller.

After that, local admins can still do a whole lot on that pc, but they can no longer change the password of other admins, if those admins are domain users.

That said, with admin access, you can create local users, and login with that.

Also good to note, while many tasks seem to require admin access, this is not always necessary. Admin access is requested when a task fails due to insufficient rights. For example, installing a program in C:\Program Files, requires admin access because by default, normal users may not write to this folder. If you make this folder writable for normal users, then they no longer need admin access for installs that just place the program in that location. Similarly, the local machine registry hive has similar restrictions that can also be opened similarly.

I would advise against opening these with write permissions for everyone, but you can add these specific users to those locations with write permissions and they may not need an admin account in the first place.

Improve this answer
3
  • Thank you for the explanation. I will see what I can do.
    – nikhil
    Commented Apr 12 at 10:16
  • You're welcome. :)
    – LPChip
    Commented Apr 12 at 10:16
  • 1
    Also, if you don't have a Server, and such an active directory is not an option, you can consider buying a Synology NAS. You can install an Active Directory on it and do user management from there. Its not as advanced as Windows Active Directory, as you don't have domain group policy, but you don't need that. You still get the, users cannot change other users unless they have an admin account on the NAS.
    – LPChip
    Commented Apr 12 at 10:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .