The questions that are posed are definitely good ones. We, however, know that to be a manager (those who make these wonderful decisions), possessing logic is not a prerequisite. It's just a pain because it's such a limited set of accounts that this admin is not supposed to be able to manage. To specify what this admin can't do (because it's such a limited subset) should be a lot less work than having to grant permissions for everything that the admin can do. By also removing this admin's permissions to change these specific users' passwords (user by stinking user), deny the admin's ability to add new users to the domain admins group, and deny the admin's ability to change any other domain admins' password, I think that I'm in business. If you can think of anything that I'm leaving out, please throw me a bone. :)
Thanks!!! Cory ----------------------------------- Cory G. Stuart Network Administrator Nuclear Engineering Division Argonne National Laboratory ----------------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, February 16, 2004 11:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restrict Administrative Privileges You can try setting "deny" for "Reset Password" permission. But that would not stop a knowledgeable (or determined) Domain Admin. Which then raises the question of trust. Why make this person a Domain Admin if you do not trust him/her with access to EVERYTHING? In my opinion, trying to deny him access to "some" objects after you've given him a blank check to ALL the objects in the Domain is not the way to go. I'd remove him/her from Domain Admins group, then grant him/her access to things he/she NEEDS (not WANTS) access to. Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Stuart, Cory G. Sent: Mon 2/16/2004 9:26 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Restrict Administrative Privileges Hi All, Is there a way to deny password changing abilities to a Domain Administrator for only a limited set of accounts? These accounts reside in their own OU, which because of the permissions set, that Domain Admin cannot even see it when in ADUC. I thought that my problem was solved. I just found out that this Domain Admin can still use DSMOD to change passwords of users within that OU. Any help is appreciated! Thanks!! Cory ----------------------------------- Cory G. Stuart Network Administrator Nuclear Engineering Division Argonne National Laboratory ----------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
