Re: Admin OU password change

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

anonymous_at_discussions.microsoft.com
Date: 04/02/04 

Date: Thu, 1 Apr 2004 18:10:46 -0800

Thanks for the help guys. I didn't explain myself very
well but the regular users to be delegated control were
our Helpdesk staff and the Admin OU is indeed an OU with
all the admin accounts. My boss has just decided that
their access level is too high and that I should find a
way to rectify this situation, this being complicated by
the fact that we use a single sign-on product and have to
open VMware sessions to access this info. I've got about
10 different sub-tasks in there but your responses were
enough to get me past my stumbling block,

Much appreciated,
Mathias.
>-----Original Message-----
>Danny,
>
>I do not understand how can the IT Department not be
high enough up the
>chain of command to be held responsible for something so
important as
>passwords? This thought process makes absolutely zero
sense to me. Do
>these supposedly intelligent people have any idea what
the IT department
>does / can do / is responsible for doing?
>
>I might have a difficult time working in a situation
where the thought
>process at any company is that the IT Department can be
filled by any monkey
>off of the street. That usually speaks volumes as to
the type of company it
>is.
>
>Or am I completely misunderstanding this? I do indeed
understand politics.
>I worked in the Entertainment Industry in Beverly Hills
for 2 1/2 years
>before moving to the East Coast. Lots of little tiny
lap dogs yapping
>"YES!" all the time to the boss.....
>
>Cary
>
>
>"Danny" <nonya@nonya.com> wrote in message
>news:tsko60d0vlli47m1qcmbk0q1egqvhda2gs@4ax.com...
>> I had to think about this... a LOT..
>>
>> Small office. Business manager or other administrative
person. Boss
>> decides that this person is in charge of passwords for
the entire
>> domain because IT isnt far enough up the chain of
command to be held
>> responsible for something as important as passwords.
>>
>> That may not be his reason, but it could happen...
>>
>> It's along the same vein as not being allowed your
bosses password
>> (for security reasons) but yet you are an AD admin and
could change it
>> in 10 seconds.
>>
>> Politics are fun.
>>
>> Danny Messano
>>
>> On Thu, 1 Apr 2004 07:45:01 -0500, "Cary Shultz [A.D.
MVP]"
>> <cwshultz@mvps.org> wrote:
>>
>> >Mathias,
>> >
>> >What 'Admin OU' do you mean? Have you created an OU
called 'Admin' and
>then
>> >placed all of the user account objects which are a
member of the 'Domain
>> >Admin' group ( or similar ) in that OU? Now you are
trying to delegate
>to
>> >a 'regular' user account object the ability to change
the passwords for
>> >these 'Admin' user account objects?
>> >
>> >If this is the case then I might suggest that you re-
think what you are
>> >doing! And very quickly. Do you really want
a 'regular' user to be able
>to
>> >change the passwords for all of the 'Domain Admins'?
Now that person
>could
>> >access just about everything ( and the things that
he/she could not
>access -
>> >due to the necessity of being an Enterprise Admin or
a Schema Admin -
>could
>> >very quickly be accessed with one or two very quick
and easy changes! ).
>> >
>> >HTH,
>> >
>> >Cary
>> >
>> >
>> >"Mathias" <anonymous@discussions.microsoft.com> wrote
in message
>> >news:16b2501c417a4$3e061d40$a401280a@phx.gbl...
>> >> Hi,
>> >> I was wondering whether it were possible to
delegate
>> >> control to a non-administrative user to reset
passwords
>> >> in the Admin OU? I've got the rest of the OU's
sorted
>> >> but this is proving to be a real thorn in my side,
>> >>
>> >> Thanks,
>> >> Mathias
>> >
>>
>
>
>.
>

Relevant Pages

  • Re: Oh Dear, Where to start?!
    ... > sort of security solution? ... > use, passwords, physical security, backup/disaster ... > admin, network admin, tech support, programming, and ... Theres lots of software out there for backups. ...
    (Security-Basics)
  • RE: Securing workstations from IT guys
    ... Find the admin who is leaking the data and fire him. ... Securing workstations from IT guys ... Use encryption program to encrypt those files. ... Advise HR guys to assign passwords to their excel/word files. ...
    (Security-Basics)
  • Re: Securing workstations from IT guys
    ... Change all Local Admin passwords so that even IT helpdesk/other doesn't ... Advise HR guys to assign passwords to their excel/word files. ... someone from domain admin group to be able to start C$/D$ share and browse ... incoming connections to C$ and pop up and alert whenever someone tries it ...
    (Security-Basics)
  • Re: [Full-disclosure] What is the ulitmate vulnerability ?
    ... Why require passwords? ... It's trivial for a malicious user to bypass it, ... If an admin doesn't want anyone on their network, ... > Charter: http://lists.grok.org.uk/full-disclosure-charter.html ...
    (Full-Disclosure)
  • Re: Delegating Echange Full Admin Roghts
    ... logged in with an account that has exchange full admin ... admin), and trying to delegate Exchange Full admin rights to your account, ...
    (microsoft.public.exchange.admin)