Re: Admin OU password change

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Danny (nonya_at_nonya.com)
Date: 04/01/04 

Date: Thu, 01 Apr 2004 12:47:46 -0500

I had to think about this... a LOT..

Small office. Business manager or other administrative person. Boss
decides that this person is in charge of passwords for the entire
domain because IT isnt far enough up the chain of command to be held
responsible for something as important as passwords.

That may not be his reason, but it could happen...

It's along the same vein as not being allowed your bosses password
(for security reasons) but yet you are an AD admin and could change it
in 10 seconds.

Politics are fun.

Danny Messano

On Thu, 1 Apr 2004 07:45:01 -0500, "Cary Shultz [A.D. MVP]"
<cwshultz@mvps.org> wrote:

>Mathias,
>
>What 'Admin OU' do you mean? Have you created an OU called 'Admin' and then
>placed all of the user account objects which are a member of the 'Domain
>Admin' group ( or similar ) in that OU? Now you are trying to delegate to
>a 'regular' user account object the ability to change the passwords for
>these 'Admin' user account objects?
>
>If this is the case then I might suggest that you re-think what you are
>doing! And very quickly. Do you really want a 'regular' user to be able to
>change the passwords for all of the 'Domain Admins'? Now that person could
>access just about everything ( and the things that he/she could not access -
>due to the necessity of being an Enterprise Admin or a Schema Admin - could
>very quickly be accessed with one or two very quick and easy changes! ).
>
>HTH,
>
>Cary
>
>
>"Mathias" <anonymous@discussions.microsoft.com> wrote in message
>news:16b2501c417a4$3e061d40$a401280a@phx.gbl...
>> Hi,
>> I was wondering whether it were possible to delegate
>> control to a non-administrative user to reset passwords
>> in the Admin OU? I've got the rest of the OU's sorted
>> but this is proving to be a real thorn in my side,
>>
>> Thanks,
>> Mathias
>

Relevant Pages

  • Re: Oh Dear, Where to start?!
    ... > sort of security solution? ... > use, passwords, physical security, backup/disaster ... > admin, network admin, tech support, programming, and ... Theres lots of software out there for backups. ...
    (Security-Basics)
  • RE: Securing workstations from IT guys
    ... Find the admin who is leaking the data and fire him. ... Securing workstations from IT guys ... Use encryption program to encrypt those files. ... Advise HR guys to assign passwords to their excel/word files. ...
    (Security-Basics)
  • Re: [Full-disclosure] What is the ulitmate vulnerability ?
    ... Why require passwords? ... It's trivial for a malicious user to bypass it, ... If an admin doesn't want anyone on their network, ... > Charter: http://lists.grok.org.uk/full-disclosure-charter.html ...
    (Full-Disclosure)
  • Re: Securing workstations from IT guys
    ... Change all Local Admin passwords so that even IT helpdesk/other doesn't ... Advise HR guys to assign passwords to their excel/word files. ... someone from domain admin group to be able to start C$/D$ share and browse ... incoming connections to C$ and pop up and alert whenever someone tries it ...
    (Security-Basics)
  • Re: Admin OU password change
    ... What 'Admin OU' do you mean? ... placed all of the user account objects which are a member of the 'Domain ... Do you really want a 'regular' user to be able to ... change the passwords for all of the 'Domain Admins'? ...
    (microsoft.public.win2000.active_directory)