I've asked that many times. And been told that it is a requirement.
Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected] Phone: 610-807-6459 Fax: 610-807-6003 From: Brian Desmond <[email protected]> To: "NT System Admin Issues" <[email protected]> Date: 11/18/2011 11:37 AM Subject: RE: Delegation question Why do they need the ability to reset passwords on protected accounts? Thanks, Brian Desmond [email protected] w – 312.625.1438 | c – 312.731.3132 From: Christopher Bodnar [mailto:[email protected]] Sent: Friday, November 18, 2011 9:15 AM To: NT System Admin Issues Subject: Delegation question Currently our helpdesk staff have the ability to reset passwords for all user accounts, including domain admin accounts. Our internal auditors want us to take away the ability of helpdesk staff to change domain admin passwords, but not to remove their ability to reset passwords for users in "protected groups" that's where I'm running into a wall. theoretically if all the domain admin accounts were in one OU I could do this by revoking access to that OU, but unfortunately that is not the case and I don't think it's possible the way things are setup right now (service accounts in domain admins, etc...). What I'm afraid of is that something will break if I move those accounts, specifically the service accounts. Any thoughts on this? Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected] Phone: 610-807-6459 Fax: 610-807-6003 ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
