Re: Account Operators accessing other account operators

it is better not to use the account operators group, but to use your own
group and delegate the correct permissions on an OU that applies to the
correct objects in that OU. If you go that way, make sure to remove the
account from the account operators group as that is a protected group by AD
(to be more precise adminsdholder). after that reset the admincount
attribute to NOT SET and enable permissions inheritance on the objects.

for more info see:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/16/86.aspx

ADMINSDHOLDER:
Every hour, the Microsoft Windows domain controller that has the primary
domain controller (PDC) emulator operations master role verifies the ACLs on
members of these administrative groups and compares them to the ACL on the
AdminSDHolder object. If the ACL that is on the AdminSDHolder object is
different, the ACLs on the members of the administrative group are reset to
match the ACL on the AdminSDHolder object.

For more info on the ADMINSDHOLDER object see the following related KB
articles (not all may apply to your situation!)

Description and Update of the Active Directory AdminSDHolder Object
--> MS-KBQ232199 (http://support.microsoft.com/?id=232199)
AdminSDHolder Thread Affects Transitive Members of Distribution Groups
--> MS-KBQ318180 (http://support.microsoft.com/?id=318180)
Delegated permissions are not available and inheritance is automatically
disabled
--> MS-KBQ817433 (http://support.microsoft.com/?id=817433)
AdminSDHolder Object Affects Delegation of Control for Past Administrator
Accounts
--> MS-KBQ306398 (http://support.microsoft.com/?id=306398)
Security tab of the adminSDHolder object does not display all properties
--> MS-KBQ301188 (http://support.microsoft.com/?id=301188)
"You do not have sufficient permissions in the Domain" error message occurs
and Exchange Setup does not respond
--> MS-KBQ319966 (http://support.microsoft.com/?id=319966)
Certification Authority configuration to publish certificates in Active
Directory of trusted domain
--> MS-KBQ281271 (http://support.microsoft.com/?id=281271)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Matt" <Matt@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E5CA6C2A-F45D-441E-A434-0203E20DD504@xxxxxxxxxxxxxxxx
We have a Windows 2003 (SP1) AD domain. Our helpdesk staff our aco***
operators and they can successfully manage the company's user accounts.
They
cannot access builtin accounts such as domain administrators (which I know
is
by design and is what I want).

However, and this is my problem, is that they cannot reset passwords or
unlock the accounts of the other account operators. If a helpdesk staff
locks their account the other helpdesk staff cannot unlock it; and they
have
to wait for me to do it (I'm a domain admin). I did read an article
saying
that this was by design since Windows 2000 SP4. However this is not
particularly helpful to me.

I am being pushed to get this resolved and do not want to give them domain
admin rights. Please can anyone help.


.

Loading