Windows 10: Domain user/ local admin does not have access to task manager oer change password

Hi,In my domain, I have two domain users who are local admins, one of the has complete access but the other one has some wired access. This user can install/uninstall applications or create local user and make it part of local administrator group then can delete it, but i.e. ctrl+alt+del does not able to open task manager or change password. right click on the taskbar wont open any menu to open task manager. can not change anything in personalize setting.there is no group policy on the user or computer, no log on bat file or anything. it is only that one user has this problem anywhere logs in.

:)

 

Managing password resets for local admin

Need more clarification on the matter, from what I'm seeing you're asking if you can somewhat automate managing passwords on hundreds of printers, scanners, mfp's. Without more details such as what brand(s) and model(s) you're using, confirming the capabilities of account management for those, we can speculate and make suggestions but they might not be as helpful as you'd like.

With some of those devices, finding out if they're tied to RADIUS or LDAP and if you're also taking advantage of security group assignments, that would be vastly more helpful. Then at that point if you're utilizing access privileges and restrictions based on security groups for devices to manage who even has authorized access. I would assume a company that size is likely running with all of those in-place, but you know what they say about ASSumptions. *Wink

Beyond that setting an extremely complex password for the default admin or disabling that account and creating a uniquely named account that only you and your security team know would be the way to go as well. Would still be a lot of manual work, and not sure what you can truly do to avoid that, so make the manual changes really count for something where you can. Security management in IT isn't easy, and access control is one of those things that takes a lot more involvement at various stages to do and execute correctly.

I'd say make the account name changes, make the password 64+ chars long, and perform annual or bi-annual changes as needed. Again, hopefully as-far-as user access-control, you're able to take advantage of a directory sync service and manage access from a print server with security groups.

 

Managing password resets for local admin

Can you ping these VIA DNS? from a central server? like Code: ping Desktop-1[/quote] TBH it looks like @Kursah addressed most of the issues. Realistically even IF there was a way to change the passwords remotely while I appreciate as a help desk tech your willingness to address a glaring issue it is the wrong first step. It looks like the system admins have alot of work ahead of them and maybe you could gently spearhead a campaign to get those units connected to the domain in active directory because right now you are trying to flavor water in a pool and not the bottles.

These PCs need to be part of the forest ASAP so they can be properly managed.

 

Managing password resets for local admin

Without knowing how things are integrated, if they are, or how they are, especially for current access control privileges and restrictions, you're really at odds for deploying anything useful to your managed infrastructure.

Maybe you can work with one of the security division's engineers to obtain that information if you have reached a level of trust and the task for what you're doing is something you should be officially taking care of. In that case, you need to be at least privy to what solutions are being utilized for user account management, security, and access, what third party print management service(s) are in-use, etc.

The issue here is if you're access is limited, your knowledge of the infrastructure and deployed solutions is limited, it'll be nigh impossible to provide a consistent usable solution that will even work for your site's needs and requirements. That puts you at a major disadvantage, so hopefully you can work with someone that does have that knowledge.

As I suggested above with printers, sounds like unless the software can moderate access on the default admin/access account, you'll be faced with manual access of each device to manage them appropriately. At which point doing what I suggested above might make sense, it also might help to task an individual at each site with taking care of this task to break it down into manageable chunks.

Some devices allow or offer centralized management, but not knowing if what your site has deployed all are able to use that or if the third party management for printers and scanners is merely for access control, print count limitation, etc. or if it also allows device account modifications as well again leaves you at a disadvantage.

In security, knowledge is key. You have to know how a site is deployed, managed and ultimately used. Without that knowledge coming up with an appropriate account management solution that you can actually execute beyond a written proposal won't happen. I am curious exactly what they expect from you here if anything beyond a written proposal or maybe they want you to find out what they already know?

Either way, sounds like you need to know more about what you're working with to get to the end result you seek in an appropriate fashion. *Toast :toast: