Admin changing other Admin passwords?

**crazyfruitbat** · Fri 30 Apr '10, 3:43am

I think it only depends on what admin account is specified on the config file. If the admins are protected then you cannot change them unless you change that file. I suggest talking to all members involved in the site to ensure you are enstated as such - if you are co owner I would be quite strong about the point

**Bundle** · Fri 30 Apr '10, 3:54am

I've tested it using a new Administrator account and any Admin can definitely change other Admin's accounts, including the one specified as SuperAdmin in the config file.

**M@tt** · Fri 30 Apr '10, 5:46pm

Can't you have yourself as admin, everyone else as super moderators and modify that groups permissions to give them everything they need. Obviously except the ability to change your password?

**Bundle** · Fri 30 Apr '10, 6:39pm

Originally posted by M@tt

Can't you have yourself as admin, everyone else as super moderators and modify that groups permissions to give them everything they need. Obviously except the ability to change your password?

Well the problem was that I need them to be able to alter regular users details if necessary, but this meant they could also get into the main Admin account and essentially lock everyone out (not that I expect anyone to, just being careful!).

Turns out you can specify users to "lock" in the config.php file so that no alterations can be made via the Admin CP, as suggested in the first reply. I just wasn't looking hard enough.

**M@tt** · Sun 2 May '10, 2:54am

Ah yeah, I see what you guys are talking about. Anyone got any advice on the most secure way to set this up? I'm thinking have an account setup with complete admin priviledges which is uneditable/locked etc while the admin account that you use day in/day out should be with just straight admin/deletable priviledges so that if your normal user account gets hacked, you can still login and make changes to your normal day-to-day admin account. Is this what most people do or is there a better way?

**Jacob_ITAPros** · Sun 2 May '10, 6:29am

Open config.php in the includes folder and look for the comment section that states "// ****** UNDELETABLE / UNALTERABLE USERS ******"
Read the description and make the appropriate change.

This is the best way to do this unless there is something outside of the box that I'm not aware of.

**M@tt** · Sun 2 May '10, 6:58am

The users specified here will not be deletable or alterable from the control panel by any users.

I'm just wondering what the definition of this line is exactly. So lets say I have an account called "SA" which is setup as an undeletable/unalterable user, if someone hacks into this account.. Can this account itself change it's own password? So I could be virtually screwed until I restore? Or does this setting stop absolutely 'any' account from making alterations?

Cheers (sorry for hijacking your thread bundle, figured it wasn't worth starting a new one)

**Bundle** · Sun 2 May '10, 12:40pm

Originally posted by M@tt

I'm just wondering what the definition of this line is exactly. So lets say I have an account called "SA" which is setup as an undeletable/unalterable user, if someone hacks into this account.. Can this account itself change it's own password? So I could be virtually screwed until I restore? Or does this setting stop absolutely 'any' account from making alterations?

Cheers (sorry for hijacking your thread bundle, figured it wasn't worth starting a new one)

It basically locks the user against being changed in any way via the Admin CP. Not just password but anything... avatar, email address, usergroups etc etc. so admin with access to alter users can't change anything via the control panel, including yourself.

However, It DOESN'T stop you from changing your own account through the standard forum funtions that all members have access to via My Profile / User CP... through that you can still change your password, avatar etc. as normal. So yeah, if someone hacks directly into your admin account they can change the password.

**Jacob_ITAPros** · Sun 2 May '10, 12:48pm

Actually my experience was to the contrary. When I set an account to undel\unalt, I can't change any info in the ACP or in via password reset functionality in the profile, even if it's my own account. You sure about that Bundle? You've got me second guessing now. I better check again. If you're right then that's goofy.

vBulletin 4 End of Life

Admin changing other Admin passwords?

[Forum] Admin changing other Admin passwords?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment