restrict reset of Admin Password

  • Thread starter Thread starter Altria
  • Start date Start date
A

Altria

Hello All,
Is there a way that I can have my staff not be able to reset the Admin
password and leave them with group membership of server operators and
account operators. I give these priviledges to them so that they are able to
join computers and users onto the domain during rollout. Or is it better to
create a temporary account and delete it afterwards with the appropriate
permissions. In most cases what priviledges are given to support staff? I
would like to limit as much as I can but I would like them to get on with
thier daily duties?
My Main concern is the Admin password reset though.
TIA,
Altria
 
Server operators and account operators can not reset or otherwise modify
user accounts that are administrators, though other administrators in the
domain can or anyone in the enterprise admins group for the forest. You
could also look into AD delegation at the domain or OU level that will allow
you to delegate many rights to a user without special group membership
including adding computers and users to the domain. At the domain or OU
level right click the container and select delegate to start the delegation
wizard which includes common tasks and also allows you to add custom tasks.
Also look in help for delegate or delegation. --- Steve
 
In addition - personally, I'd give them two accounts - one that has only
regular user-level privileges, and another for admin use that they should
only use when performing admin tasks. Enable auditing if you want to see who
did what when.
 
Hello Steven,
Thanks for the rapid reply...I will look into delegation.
Also, the answer you provided includes change of Admin password at the local
machine (server) is also not possible.
Thanks,
Altria
 
Note also that it is difficult if not impossible to prevent someone in the
administrators or domain administrators group from doing anything they want.
Anything one admin can do, another admin can undo. The most you can hope to
do here is hopefully to detect it when it happens.
 
Back
Top