Re: Permissions to unlock Administrator account?

Some general principles.
- As few domain admins as possible. Use delegation for everything else.
- Use a real named account, not the Administrator account
- The Administrator accounts should have a very long, complex, password, be
put in a safe and never used unless all else has failed. Never lose it.
- Real domain admins should have two accounts: one for things requiring
domain admin, and one for general day to day use.
- Much usage of the domain admin rights is simply not knowing enough about
the rights to delegate it to an account with less access. Very very few
operations actually require the use of domain admin rights.
You need domain admin rights, of course, to have access to domain admin
accounts.
Anthony, http://www.airdesk.co.uk



"Chris Lukowski" <ChrisLukowski@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:751D5522-5E34-4CFD-9CEF-BB658397162A@xxxxxxxxxxxxxxxx
My fellow network administrator and I recently enacted the best practice
of
having our individual user accounts removed from the Administrators and
Domain Admins group, leaving only the Administrator account there (I
believe
that's what best practices dictate). We also delegated authority to create
and unlock user accounts to our accounts so we could still use AD Users
and
Computers for daily admin tasks. However, we ran into a problem where the
Administrator account was locked out and the lockout checkbox was greyed
out
from our consoles. We were lucky enough to have a DC hooked up to a KVM
that
still had the admin logged in so we could unlock it from there.

My question is, what permission do we have to grant our accounts to be
able
to unlock the Administrator account? What would we have done if we didn't
have any admin sessions logged in already?


.

Relevant Pages

  • Re: Access Denied - Trusting Computer for Delegation To Services
    ... I think you need to be a domain admin to set this flag on a user or computer ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... I have run into an error when performing the delegation steps to ... computer and user accounts to be trusted for delegation), ...
    (microsoft.public.windows.server.active_directory)
  • Re: Service accounts best practices
    ... > The only people who should have domain admin rights are the exact people ... > domain admin work and it should be a very small group. ... >>>Joe Richards Microsoft MVP Windows Server Directory Services ... >>>>Can someone point me to a guide to securing service accounts? ...
    (microsoft.public.win2000.security)
  • Re: Changing the domain password policy
    ... You could try to look into your AD event logs and check for Successful logons for the domain admin account. ... While the biggest thing to do is make sure you know your environment and what service accounts are used where, eventually you'll find yourself stuck and you just need to make the change and deal with what breaks. ... Time has come to change the domain admin password. ...
    (Security-Basics)
  • Re: Securing workstations from IT guys
    ... It sounds like you have generic domain admin accounts - I'd change that immediately, and create what are called 99 accounts. ... Change all Local Admin passwords so that even IT helpdesk/other doesn't know them. ... Is there an auditing on PC that can be enabled to track/log incoming connections to C$ and pop up and alert whenever someone tries it out from a remote machine. ...
    (Security-Basics)
  • Re: NT4 to Windows 2003 AD Migration Question
    ... You want something that can map the accounts from the source to the ... > I have around 1500 workstations, a couple hundred servers. ... > seems most tools want domain admin on the AD side as well. ... We are tasked with building the OU from scratch, so SID history ...
    (microsoft.public.windows.server.active_directory)