Well, I've been forum-ing for ages now, and one thing I've noticed: the majority of boards have more than one administrator. Now, IPB comes with a Root group, and a regular Admin group. While this is a good idea, I'd like my admins to do more than non-root can (Mainly in the Admin tab). However, if I add them to the root group, then that opens up a security hole. I'm suggesting a line in the config file for an array of "Super Admins" - user numbers that can edit any and all accounts, but cannot be edited or deleted by anybody.

Hi, now this is something I would also like to see be part of IP.Board.

They would have been deletable by the root account ofcourse?

What is the issue now? Can the a admin delete an other admin? If so, that is about stupid IMHO :P

If your worried about 'SuperAdmins' editing or deleting your account, then they shouldnt really be admins at all? You should be able to trust them 100%

Not worried about other admins, worried about hackers/vulnerabilities their computers may have.

Well, there's not all that much more that can be done by root administrators in comparison to non-root administrators. What exactly are you referring to?

In any case, it's not that difficult to add a new field to the groups table that can be used to grant additional privileges if needed. As long as you don't add them to the root admin group, they can't do anything to root admins, which would then be your superadmin group.

But what he is saying, even the way your saying makes those admin restricted, alot of things are restricted for ROOT admins, such as SQL toolbox, and admin logs.

If you're worried about trustworthiness, the SQL toolbox is that last place you'd want them to access. Same with admin logs (I mean, you'd want to have some way of keeping tabs on them, no?). Really the only thing I can see to be useful is for viewing invisibly logged on users or something.

Oh, and I've also just discovered that you can add the root admin as a secondary group and still have ACP restrictions applied on them. So that'd work to get around the "superadmin" issue (although I still don't see what restrictions would need or want to be overwritten).

And again, it is not *too* difficult to change the few places that are explicitly "root admin only."

Its not difficult at all, it just takes time, you only have to remove one if statement from the auto_run() function, and your good to go :)