Chris- Realistically you might as well add them to domain admins as you're giving them that access by proxy. The only way around this is either a proxy based tool or modifying adminSdHolder. You can't remove Domain Admins from it, but, you're going to need add the helpdesk to the adminSdHolder ACL. This will give them access to edit passwords on any user object protected by adminSdHolder.
Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian From: Christopher Bodnar [mailto:[email protected]] Sent: Monday, October 05, 2009 10:26 AM To: NT System Admin Issues Subject: Delegate permission: Reset Domain Admin passwords We have a requirement that our helpdesk be delegated the right to reset passwords for Domain Admin accounts, but need to limit their access. I don't want to add them to Domain Admins. I know that the Domain Admins is a protected group and I'm aware of the function of the AdminSDHolder object. I could remove Domain Admins from that but I don't think that is the way to go with this. I just want to delegate that permission to a group. Anyone have to do this yet? Chris Bodnar, MCSE Sr. Systems Engineer Infrastructure Service Delivery Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459 Fax: 610-807-6003 ________________________________ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
