+1 Not that hard to do and it is for the best. Jon
On Fri, Nov 18, 2011 at 10:32 AM, Ken Schaefer <[email protected]> wrote: > This is just something that requires proper analysis before > implementation.**** > > ** ** > > Ideally you should have some way of separating out service accounts anyway > (whether that be by OU or group). Real-life domain admins should also be > separated out. Start with organising this part.**** > > ** ** > > At the same time, do an analysis (and documentation) of the rights of > these accounts, so that the migration can be implemented relatively > painlessly. The documentation will come in handy in DR scenarios etc.**** > > ** ** > > Cheers**** > > Ken**** > > ** ** > > *From:* Christopher Bodnar [mailto:[email protected]] > *Sent:* Friday, 18 November 2011 11:15 PM > *To:* NT System Admin Issues > *Subject:* Delegation question**** > > ** ** > > Currently our helpdesk staff have the ability to reset passwords for all > user accounts, including domain admin accounts. Our internal auditors want > us to take away the ability of helpdesk staff to change domain admin > passwords, but not to remove their ability to reset passwords for users in > "protected groups" that's where I'm running into a wall. theoretically if > all the domain admin accounts were in one OU I could do this by revoking > access to that OU, but unfortunately that is not the case and I don't think > it's possible the way things are setup right now (service accounts in > domain admins, etc...). What I'm afraid of is that something will break if > I move those accounts, specifically the service accounts. > > Any thoughts on this? **** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
