I've seen several posts regarding External Server Accounts (ESA) not being able to change security settings. I actually liked the idea I could setup a local full access account that was the only account that had ultimate control over security, and ESAs could have access to everything (including database management) but not security.
I was using this as added level of security until I realized there is a way for ESA to change security settings! I discovered an ESA can't change existing accounts, but it can create a new full access local account and then use the new account to authenticate the changes. Does anyone know how to prevent an ESA from creating a new full access local account??