How can I hide the administrator account and track user history?
I would like to create user accounts with admin access, but I don't want the users to mess up the real administrator account. Is there a way to hide the administrator account, so it's not visible to other users, even though they have admin rights? Also, I would like to know if there is a built-in tool in Windows 2000 that can track the user history (i.e., what exactly they are doing on the server).
While there is no way to hide the administrator account, there are a number of workarounds that might fit your needs. Depending on why your users specifically require administrative access, you can create customized and restricted Microsoft Management Consoles so that they can only perform those tasks that are necessary to their job function. Alternately/additionally you can separate users into different organizational units (OUs) and limit their administrative access to only those objects within their "home" OU, obviously leaving the administrator account in a different OU.
In terms of tracking user history in Windows 2000, you can audit logon and logoff, file/object access, use of user rights and several other items through group policy or local machine auditing -- the results of which would be logged to the machine's security log. If you have many machines' logs to monitor, Microsoft offers a free utility called EventComb that will query multiple security log files for specific EventID's or user names; there are also third-party utilities that will assist in centralizing this process. Hope this helps.
This was first published in November 2002