Jump to content

Restrict an administrator user

`WHooami
By `WHooami
in Servers, NAS, and Home Lab
 Share
Posted

Hello.

 

I have a server where I got 2 users. 1 local admin(mine) and one-second admin(other users) and I want to restrict that local user to not be available to disable the firewall. I want it to have all other admin rights except firewall.

 

This is a Rackspace server and not a server on lan, so domain user control is not an option.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
7 hours ago, `WHooami said:

Hello.

 

I have a server where I got 2 users. 1 local admin(mine) and one-second admin(other users) and I want to restrict that local user to not be available to disable the firewall. I want it to have all other admin rights except firewall.

 

This is a Rackspace server and not a server on lan, so domain user control is not an option.

Uhm... you can't do that. An Administrator is an Administrator in Windows.

 

Certainly not without a Domain.

 

Now, I'm assuming you're talking about a Windows Server. If another OS? That kind of permission change may be possible.

 

If you don't want an account to disable the firewall, change it's permission level to Standard (Windows), or remove/disable it completely.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Methods:

You can write a script and put it on a scheduler to check the service and/or settings - and just every 30 minutes or hour enforce those settings.

You could set the group policy which will grey the settings out for them and yourself. (anytime you make changes you'd need to do it via group policy).

You could write a script to monitor the service/configuration and cut an email / write a log.

You could download some configuration management software to enforce the settings remotely (either from a server on the same network or remotely over a tunnel directly to the server)

You could promise by Odin's beard to open a can of whoop ass if they touch it.

 

Thoughts:

Why do they need to be an administrator? It's better to make them a standard user and then cherry pick the things they need to be able to do. Any setting or policy you do is going to affect both accounts since they're both "administrators."

 

If you leave them as an administrator and you do figure something out, they'll just have the rights to undo whatever you set.

 

On a final note, if you cannot trust them to respect your decision to leave the firewall on, then they should not be an administrator. Anyone at my job does something like that they're let go (other places likely you'd be on final notice).

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
On 11/14/2017 at 5:34 PM, dalekphalm said:

Uhm... you can't do that. An Administrator is an Administrator in Windows.

 

Certainly not without a Domain.

 

Now, I'm assuming you're talking about a Windows Server. If another OS? That kind of permission change may be possible.

 

If you don't want an account to disable the firewall, change it's permission level to Standard (Windows), or remove/disable it completely.

Yeah my solution was AD. 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Servers, NAS, and Home Lab

×