Yes this is exactly what should be going on. I'm missing the business reason for something other than this.
Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian From: Sherry Abercrombie [mailto:[email protected]] Sent: Monday, October 05, 2009 11:56 AM To: NT System Admin Issues Subject: Re: Delegate permission: Reset Domain Admin passwords We do not allow our helpdesk people to reset passwords for the IT Dept. or the Executives (this includes domain admin accounts), all other users they can reset the password for. IMHO it is not a good idea to give low level techs the ability to reset domain admin accounts. On Mon, Oct 5, 2009 at 11:35 AM, KenM <[email protected]<mailto:[email protected]>> wrote: Thats right. I was not thinking. We have it setup here for server DA account not the actual Domain Admins group. We do have a VB app that allows certain helpdesk employees change passwords of users that are in the Domain Admins group. The app authenticates as a service account which is a member of the Domain administrators group. The app creates a log file of who reset the password and also sends an email to all the Domain admins. The app is not used to often and needs recompiled when the service account password changes. This is probably not the best thing to do but would be interested to hear what other people use in this scenario. On Mon, Oct 5, 2009 at 11:56 AM, Brian Desmond <[email protected]<mailto:[email protected]>> wrote: AdminSdHolder circumvents this as it removes inheritance from the affected accounts. Thanks, Brian Desmond [email protected]<mailto:[email protected]> c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian From: KenM [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, October 05, 2009 10:48 AM To: NT System Admin Issues Subject: Re: Delegate permission: Reset Domain Admin passwords Are all of you DA accounts in the same OU? If so just delegate the right to reset passwords for the helpdesk on the OU. On Mon, Oct 5, 2009 at 11:26 AM, Christopher Bodnar <[email protected]<mailto:[email protected]>> wrote: We have a requirement that our helpdesk be delegated the right to reset passwords for Domain Admin accounts, but need to limit their access. I don't want to add them to Domain Admins. I know that the Domain Admins is a protected group and I'm aware of the function of the AdminSDHolder object. I could remove Domain Admins from that but I don't think that is the way to go with this. I just want to delegate that permission to a group. Anyone have to do this yet? Chris Bodnar, MCSE Sr. Systems Engineer Infrastructure Service Delivery Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459 Fax: 610-807-6003 ________________________________ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
