+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 31
Windows Server 2000/2003 Thread, Local account on Server 2003 in Technical; Hello, I am hell-bent on changing the admin password for the server because even the neighbours' cat knows it!(When I ...
  1. #1
    znova's Avatar
    Join Date
    Jan 2009
    Location
    Derbyshire
    Posts
    154
    Thank Post
    20
    Thanked 5 Times in 5 Posts
    Rep Power
    12

    Local account on Server 2003

    Hello,

    I am hell-bent on changing the admin password for the server because even the neighbours' cat knows it!(When I first started to work here it was taped to the wall )

    The implications are this: being a small school with limited space, the server itself gets used for internet/Word/Facility. Is there a built-in account that will give a limited access to the server itself but will accomplish the above? I trawled through the built-in accounts but nothing seems to quite fit the bill.

    Anyone else in a similar situation and found an account that works?

    Since noone will listen to me and they will find a way of using server anyway, let's limit the impact they might have.

    Thanks!

  2. #2

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,095
    Thank Post
    511
    Thanked 2,309 Times in 1,785 Posts
    Blog Entries
    24
    Rep Power
    803
    Just using a normal domain account will provide the functions you want? Why do you want a local account?

  3. #3

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    You need to make sure the admin password isn't used for something else, such as a service or an application for example. You could (as a recommendation), copy the domain administrator account, then name it and password it as appropriate.

    You can then proceed to change the password and see if it breaks anything. If it does or you cannot logon, you can use the secondary admin account you copied/created earlier.

  4. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    To answer your other question, you can use a limited account on a server, but you'll be seriously limited as to what you can do. Although Microsoft does recommend to use accounts with less privileges, it really doesn't work that well in practice. Just stick with a single, well secured account.
    Preventing physical access to a server is also a consideration you should look at if necessary. Is the room where the server is hosted secure or locked when you are out of it?

  5. #5
    znova's Avatar
    Join Date
    Jan 2009
    Location
    Derbyshire
    Posts
    154
    Thank Post
    20
    Thanked 5 Times in 5 Posts
    Rep Power
    12
    To answer the questions: Server is in the school office. The office only has 1 computer which is shared by up to 3 people. So they go on the server, print their stuff, do their reports, check e-mails etc...

    They do not need access to anything on the server really apart from facility, which is only installed on the admin pc(but that would be just the matter of adding priviliges to that program).

    I wasn't too keen on the idea of adding a domain account with admin privilages since only the server needs be accessed as a normal PC.

  6. #6
    znova's Avatar
    Join Date
    Jan 2009
    Location
    Derbyshire
    Posts
    154
    Thank Post
    20
    Thanked 5 Times in 5 Posts
    Rep Power
    12
    And yes, I tested one of the limited accounts(Print Operator) and it wouldn't even let me access the internet, so totally useless.

  7. #7

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,095
    Thank Post
    511
    Thanked 2,309 Times in 1,785 Posts
    Blog Entries
    24
    Rep Power
    803
    Quote Originally Posted by zdenka View Post
    To answer the questions: Server is in the school office. The office only has 1 computer which is shared by up to 3 people. So they go on the server, print their stuff, do their reports, check e-mails etc...

    They do not need access to anything on the server really apart from facility, which is only installed on the admin pc(but that would be just the matter of adding priviliges to that program).

    I wasn't too keen on the idea of adding a domain account with admin privilages since only the server needs be accessed as a normal PC.
    Why would it need admin privileges? Why not just a normal, domain account?

  8. #8
    znova's Avatar
    Join Date
    Jan 2009
    Location
    Derbyshire
    Posts
    154
    Thank Post
    20
    Thanked 5 Times in 5 Posts
    Rep Power
    12
    Why not just a normal, domain account?
    And adding the log in locally to GP? Off to test it..

  9. #9

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,161
    Thank Post
    95
    Thanked 318 Times in 260 Posts
    Blog Entries
    4
    Rep Power
    111
    A normal domain account with permission assigned to log on to the DC by adding them to the Allow logon locally permission under Default Domain Controllers Policy should work fine. I assume that's why you were going to use an admin account?

    I'd be surprised if any of the Operators groups could do anything outside of their own function, that's the idea behind them. Print Operators can manage print queues, Server Operators can do basic maintenance tasks, Backup Operators can manage backups, and so on. Internet access isn't part of any of those roles.

  10. #10

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    The office only has 1 computer which is shared by up to 3 people. So they go on the server, print their stuff, do their reports, check e-mails etc...
    This is really unusual. The usual approach is the server itself just hosts Facility, the database and maybe user files. Admin staff should have a workstation each, which they can logon to, access their files (typically through mapped network drives) and all be able to use Facility simultaneously.

  11. #11

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,095
    Thank Post
    511
    Thanked 2,309 Times in 1,785 Posts
    Blog Entries
    24
    Rep Power
    803
    Quote Originally Posted by Michael View Post
    This is really unusual. The usual approach is the server itself just hosts Facility, the database and maybe user files. Admin staff should have a workstation each, which they can logon to, access their files (typically through mapped network drives) and all be able to use Facility simultaneously.
    It isn't unusual at all, I know of lots of primary schools who do it the way the OP says.

    Not that it's the right way to do it, or even a legal way to do it (Data Protection Act etc...) but that's how many small schools do it.

    It adds a layer of complexity, and a layer of danger to a system that isn't needed though. All for the sake of buying a PC to do the job instead (a couple of hundred quid).

  12. #12
    znova's Avatar
    Join Date
    Jan 2009
    Location
    Derbyshire
    Posts
    154
    Thank Post
    20
    Thanked 5 Times in 5 Posts
    Rep Power
    12
    I will have to think about this one a bit more.

    Office users need to acces their docs but I don't want to allow the logon locally right because it will redirect their docs - no space for that. If I copy their account(office2) and take the doc redirection out, they won't be able to see their docs on the office PC, right? They can see them now when they log on the server as an admin...hmmm, don't tell I tweak the settings there!

    The staff just using the server as a workstation(any suggestions for names ?) shouldn't be a problem now.

  13. #13

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    Well I've yet to see one, but as you say, for the sake of a couple of hundred 's it seems ridiculous to have all this trouble. Allowing staff access to a server is extremely risky.

    Installing workstations of course allows you to lock down access with GPOs. You can actually lock down servers, but I wouldn't recommend it.

  14. #14
    znova's Avatar
    Join Date
    Jan 2009
    Location
    Derbyshire
    Posts
    154
    Thank Post
    20
    Thanked 5 Times in 5 Posts
    Rep Power
    12
    And don't get me started on the data protection!

    No encryption in sight here, the deputy head isn't aware of how she is supposed to secure data, no training on this - I would stick my two-penny in but it wouldn't do any good.

  15. #15

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    Office users need to acces their docs but I don't want to allow the logon locally right because it will redirect their docs - no space for that. If I copy their account(office2) and take the doc redirection out, they won't be able to see their docs on the office PC, right? They can see them now when they log on the server as an admin...hmmm, don't tell I tweak the settings there!
    As a recommendation each Admin user should have a dedicated workstation. Their documents and Facility remain on the server, but creating a shortcut on a workstation would allow them to access Facility securely and to access their documents using a network drive \\Servername\Share and allocate it a letter such as H:\ You'd also be required to map the Facility share and this could be T:\ for example.

    I presume you must have something like this setup as you already have one workstation. You just need a few more and you copy the configuration so all Admin staff can work at the same time. Makes sense really

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. change local account membership
    By linkazoid in forum Windows
    Replies: 5
    Last Post: 4th March 2009, 07:33 PM
  2. local admin account re-set remotely BULK
    By Gavinc in forum Windows
    Replies: 11
    Last Post: 18th December 2008, 08:32 PM
  3. RADIUS and local XP user account
    By stjtech in forum Wireless Networks
    Replies: 1
    Last Post: 26th November 2008, 09:05 AM
  4. Outlook 2003 Account Settings
    By BKGarry in forum How do you do....it?
    Replies: 7
    Last Post: 16th January 2008, 03:15 PM
  5. Need to reset a local account's password
    By timbo343 in forum Scripts
    Replies: 1
    Last Post: 21st September 2007, 01:16 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •