In our SB environment, we have created regional "admin" user groups which simply have a higher administration level and the right to administrate all user/machine groups in their region.
Recently it has transpired that the members of these groups cannot reset the passwords of their fellow admins in the group. This is a problem as it means a simple password reset for a local admin has to be escalated to one of a few global admin staff.
Can anyone point me in the right direction for this? Is it something to do with the admininstration levels, or is it because you cannot reset passwords for users in the same group as you? Ideally, we will nominate a couple of people in each region with the rights to reset admin passwords for their region. I'd rather not create another level of admin groups if possible.
If all admins are the same leve in access then this is correct, you wont be able to edit each others accounts (this is an intended security feature).
Your best solution is the one you stated; have in each group a few individuals with a higher level of access (so if the majority have level 10 then give one or two level 11 for example). I would also recommend you tell your admins to remember their passwords. silly
This is of course the only way they will ever learn!
Another solution occurs to me though; if you're using the newer version of Safeboot/EE then you can self-recover in conjunction with the web interface but if you dont have the web interface set up and in use, and the admins dont forget their passwords that often then its probably not worth the effort.
Worth noting for future readers that this obviously doesn't apply to Level 32 users, who are free to modify any other Level 32 users. I believe best practice, however, is not to have any actual Level 32 users and leave that for a master account or two only.
Good point. Also worth noting that you can't change the admin level of individual users within the same user group, you can only set the admin level for the entire group. At least, this seems to be the case for me. This means you need a separate user group for admins who will have the higher admin level in order to reset our normal admin accounts.
If you are using "controlled" groups then that is the case. If however you create a normal group (do NOT tick the box "All members of the group should have the same configuration") then the group is uncontrolled. Then new user objects created inherit group settings but then can be customised individually afterwards.