restrict reset of Admin Password

A

Altria

Hello All,
Is there a way that I can have my staff not be able to reset the Admin
password and leave them with group membership of server operators and
account operators. I give these priviledges to them so that they are able to
join computers and users onto the domain during rollout. Or is it better to
create a temporary account and delete it afterwards with the appropriate
permissions. In most cases what priviledges are given to support staff? I
would like to limit as much as I can but I would like them to get on with
thier daily duties?
My Main concern is the Admin password reset though.
TIA,
Altria
 
S

Steven L Umbach

Server operators and account operators can not reset or otherwise modify
user accounts that are administrators, though other administrators in the
domain can or anyone in the enterprise admins group for the forest. You
could also look into AD delegation at the domain or OU level that will allow
you to delegate many rights to a user without special group membership
including adding computers and users to the domain. At the domain or OU
level right click the container and select delegate to start the delegation
wizard which includes common tasks and also allows you to add custom tasks.
Also look in help for delegate or delegation. --- Steve
 
L

Lanwench [MVP - Exchange]

In addition - personally, I'd give them two accounts - one that has only
regular user-level privileges, and another for admin use that they should
only use when performing admin tasks. Enable auditing if you want to see who
did what when.
 
A

Altria

Hello Steven,
Thanks for the rapid reply...I will look into delegation.
Also, the answer you provided includes change of Admin password at the local
machine (server) is also not possible.
Thanks,
Altria
 
K

Karl Levinson [x y] mvp

Note also that it is difficult if not impossible to prevent someone in the
administrators or domain administrators group from doing anything they want.
Anything one admin can do, another admin can undo. The most you can hope to
do here is hopefully to detect it when it happens.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Lost Password for Domain Controller Administrator A/c 3
Invisible Admin account 4
Reset admin password 1
How to reset administrator password? 5
Can not reset admin password under safe mode due to password policy? 1
lost of admin account password 4
Reset admin password 2
reset the password 2

Top