Pardon the jump into the middle of this conversation, but wouldn't giving helpdesk techs the ability to reset admin passwords be a huge security hole? I'm lowly help desk tech. I reset joe admin's password and login as joe admin, grant myself admin privileges and I now own the entire network. Or I could even do massive damage while logged in a joe admin, maybe create another user with admin privileges that I can use whenever I want. I know proper auditing should catch this but does everyone always do proper auditing? No offense to any joe's on this or any other list.
________________________________ From: Andrew Levicki [mailto:[email protected]] Sent: Tue 10/13/2009 5:49 PM To: NT System Admin Issues Subject: Re: Password policy minimum password age Sorry if this is a schoolboy error but can you not just delegate authority on the OU that contains your protected user accounts to the help desk security group, specifying only permission to reset / change passwords? I've not done this myself and if I've just fallen in a silly trap then apologies!! Andrew. On 13/10/2009, Michael B. Smith <[email protected]> wrote: > I think that would be delegating WP (write property) on unicodePwd inherited > from the user object. > > ________________________________ > From: Christopher Bodnar [[email protected]] > Sent: Thursday, October 08, 2009 4:56 PM > To: NT System Admin Issues > Subject: Password policy minimum password age > > I've been working towards getting our help desk accounts out of the Domain > Admins group. I've successfully modified the permissions on the > AdminSDHolder object so they can reset passwords on users in "protected > groups" (i.e. Domain Admins, Schema Admins, etc....). During testing the > password reset works, if it falls under the minimum password age policy, > which is part of our Default Domain Policy GPO. What if the account needs to > have it's password reset more than once during that time period? The help > desk user won't be able to do it. I as a Domain Admin can, but I'm not sure > how that ability is flowing down to me. > > Can someone shed some light on this for me? I'd like the help desk people to > be able to reset the passwords regardless of the minimum password age > policy. > > Thanks, > > > > > Chris Bodnar, MCSE > Sr. Systems Engineer > Infrastructure Service Delivery > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: [email protected]<mailto:[email protected]> > Phone: 610-807-6459 > Fax: 610-807-6003 > > > > > > > ________________________________ > > This message, and any attachments to it, may contain information that is > privileged, confidential, and exempt from disclosure under applicable law. > If the reader of this message is not the intended recipient, you are > notified that any use, dissemination, distribution, copying, or > communication of this message is strictly prohibited. If you have received > this message in error, please notify the sender immediately by return e-mail > and delete the message and any attachments. Thank you. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -- Sent from my mobile device ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
