Potential password reset security issue
Operating system version
Description of the issue
Cannot delegate account administration authority without creating potential security risk.
I want to reserve [Full Access] privileges for the database creator and delegate account management to an administration or coordinator account that has less than full access rights. Setting up a script to use contact information contained in database records and scripts to create/enable/disable accounts and reset passwords requires allowing administrator account to execute script with full access rights. Built in error checking prevents disabling the [Full Access] privilege account, but does not prevent resetting the full access account password. I cannot find a way for the script to check the privilege set (of other user account) prior to resetting the password. The administrator can therefore reset the full access account password and then log in using that account.