Currently our helpdesk staff have the ability to reset passwords for all user accounts, including domain admin accounts. Our internal auditors want us to take away the ability of helpdesk staff to change domain admin passwords, but not to remove their ability to reset passwords for users in "protected groups" that's where I'm running into a wall. theoretically if all the domain admin accounts were in one OU I could do this by revoking access to that OU, but unfortunately that is not the case and I don't think it's possible the way things are setup right now (service accounts in domain admins, etc...). What I'm afraid of is that something will break if I move those accounts, specifically the service accounts.
Any thoughts on this? Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected] Phone: 610-807-6459 Fax: 610-807-6003 ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
