You can try setting "deny" for "Reset Password" permission. But that would
not stop a knowledgeable (or determined) Domain Admin. Which then raises the
question of trust. Why make this person a Domain Admin if you do not trust
him/her with access to EVERYTHING?
In my opinion, trying to deny him access to "some" objects after you've given
him a blank check to ALL the objects in the Domain is not the way to go. I'd
remove him/her from Domain Admins group, then grant him/her access to things
he/she NEEDS (not WANTS) access to.
Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Stuart, Cory G.
Sent: Mon 2/16/2004 9:26 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Restrict Administrative Privileges
Hi All,
Is there a way to deny password changing abilities to a Domain
Administrator for only a limited set of accounts? These accounts reside in
their own OU, which because of the permissions set, that Domain Admin cannot
even see it when in ADUC. I thought that my problem was solved. I just
found out that this Domain Admin can still use DSMOD to change passwords of
users within that OU. Any help is appreciated!
Thanks!!
Cory
-----------------------------------
Cory G. Stuart
Network Administrator
Nuclear Engineering Division
Argonne National Laboratory
-----------------------------------
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
