Admin OU password change

[Mathias]

Hi,
I was wondering whether it were possible to delegate
control to a non-administrative user to reset passwords
in the Admin OU? I've got the rest of the OU's sorted
but this is proving to be a real thorn in my side,

Thanks,
Mathias

 

[Cary Shultz [A.D. MVP]]

Mathias,

What 'Admin OU' do you mean? Have you created an OU called 'Admin' and then
placed all of the user account objects which are a member of the 'Domain
Admin' group ( or similar ) in that OU? Now you are trying to delegate to
a 'regular' user account object the ability to change the passwords for
these 'Admin' user account objects?

If this is the case then I might suggest that you re-think what you are
doing! And very quickly. Do you really want a 'regular' user to be able to
change the passwords for all of the 'Domain Admins'? Now that person could
access just about everything ( and the things that he/she could not access -
due to the necessity of being an Enterprise Admin or a Schema Admin - could
very quickly be accessed with one or two very quick and easy changes! ).

HTH,

Cary

 

[Danny]

I had to think about this... a LOT..

Small office. Business manager or other administrative person. Boss
decides that this person is in charge of passwords for the entire
domain because IT isnt far enough up the chain of command to be held
responsible for something as important as passwords.

That may not be his reason, but it could happen...

It's along the same vein as not being allowed your bosses password
(for security reasons) but yet you are an AD admin and could change it
in 10 seconds.

Politics are fun.

Danny Messano

 

[Cary Shultz [A.D. MVP]]

Danny,

I do not understand how can the IT Department not be high enough up the
chain of command to be held responsible for something so important as
passwords? This thought process makes absolutely zero sense to me. Do
these supposedly intelligent people have any idea what the IT department
does / can do / is responsible for doing?

I might have a difficult time working in a situation where the thought
process at any company is that the IT Department can be filled by any monkey
off of the street. That usually speaks volumes as to the type of company it
is.

Or am I completely misunderstanding this? I do indeed understand politics.
I worked in the Entertainment Industry in Beverly Hills for 2 1/2 years
before moving to the East Coast. Lots of little tiny lap dogs yapping
"YES!" all the time to the boss.....

Cary

 

[Guest]

Thanks for the help guys. I didn't explain myself very
well but the regular users to be delegated control were
our Helpdesk staff and the Admin OU is indeed an OU with
all the admin accounts. My boss has just decided that
their access level is too high and that I should find a
way to rectify this situation, this being complicated by
the fact that we use a single sign-on product and have to
open VMware sessions to access this info. I've got about
10 different sub-tasks in there but your responses were
enough to get me past my stumbling block,

Much appreciated,
Mathias.