This is just something that requires proper analysis before implementation.
Ideally you should have some way of separating out service accounts anyway (whether that be by OU or group). Real-life domain admins should also be separated out. Start with organising this part. At the same time, do an analysis (and documentation) of the rights of these accounts, so that the migration can be implemented relatively painlessly. The documentation will come in handy in DR scenarios etc. Cheers Ken From: Christopher Bodnar [mailto:[email protected]] Sent: Friday, 18 November 2011 11:15 PM To: NT System Admin Issues Subject: Delegation question Currently our helpdesk staff have the ability to reset passwords for all user accounts, including domain admin accounts. Our internal auditors want us to take away the ability of helpdesk staff to change domain admin passwords, but not to remove their ability to reset passwords for users in "protected groups" that's where I'm running into a wall. theoretically if all the domain admin accounts were in one OU I could do this by revoking access to that OU, but unfortunately that is not the case and I don't think it's possible the way things are setup right now (service accounts in domain admins, etc...). What I'm afraid of is that something will break if I move those accounts, specifically the service accounts. Any thoughts on this? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
