Want group to enable administrator account but not change its password

Is this even possible?

Sorry, What is it you are asking?

Custom group whose members are able to activate the deactivated administrator account, but are now allowed to change its password.

Don't think so. To enable the Built in Admin account you would need to have a Named Admin account already. If you already have one of those type accounts you can change the password on any account.

Same goes if they had an Admin password even though they were standard users.

If you are going to allow standard users to install software you might as well give them and Admin account.

Admin account has more privileges than I want most people to have. User account has too few. I generally set my security fairly granularly on my Linux servers, but I'm finding the amount of control I'm given extremely lacking on the Windows servers. Granted 7 isn't a perfect analog to 2008 Server, but I had already registered here before I realized I was on a Windows 7 specific forum and figured it was worth a shot.

The idea is to require administrators to use their accounts to activate the Administrator account and then log in to the administrator account with a different password if they want to affect monitoring, allowing the administrators to administrate but putting another password between them and event logging and such, leaving an extra layer of security in between the administrator's personal account and the true administrator account that has the ability to destroy the audit trail in the event that the less privileged account is compromised.

Look into a Power User account. Not normally available in the Control Panel User Accounts but if you open RUN and type Control Userpasswords2 and hit enter you get this screen.



Then highlight the user name and click properties and you get this window.



Then go to the Group Membership tab (Pictured) and click the Other section. From there click the drop down arrow and select Power User.