On Fri, Nov 18, 2011 at 10:15 AM, Christopher Bodnar <[email protected]> wrote: > Our internal auditors want us to take away the ability of > helpdesk staff to change domain admin passwords ...
I'd say that's a good idea. > if all the domain admin accounts were in one OU I could do this by revoking > access to that OU ... Generally speaking, it's better to simply only add Allow permissions where needed, and avoid using Deny at all. (Not sure if that's what you mean by "revoke" here.) > but unfortunately that is not the case and I don't think > it's possible the way things are setup right now (service accounts in domain > admins, etc...). Sounds like you need to change the way things are now then. :) > What I'm afraid of is that something will break if I move > those accounts, specifically the service accounts. Anything you do can break things, including doing nothing. Observe. Research. Analyze. Test. Deploy. In that order, going back as often as needed. Specifically, use tools like GPMC, RSOP, etc., to see what Group Policies are applied to those OUs, and what the resulting GP settings will be. Then plan changes to your GPO/OU/link scheme that keep things intact. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
