RE: Prevent changes to Administrator password
- From: John Policelli [MVP - DS] <JohnPolicelliMVPDS@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 26 Oct 2008 19:02:01 -0700
I forgot step 3...add the individuals to the group you created in step 1.
--
John Policelli
Blog: http://johnpolicelli.wordpress.com
This posting is provided "AS IS" with no warranties and confers no rights!
Always test before proceeding.
"John Policelli [MVP - DS]" wrote:
I agree with everyone on this post...you should not give DA if you do not.
trust someone. However, the reality is there are cases where you may need to
give DA to someone. Also, just because you do not want them to change the
password of the Administrator account in the root domain, does not mean you
do not trust them. So I am giving you a potential option to help you mitigate
the risk of these individuals changing the password on the
RootDomain\Administrator account.
First, you need to understand that permissions on the
RootDomain\Administrator account are applied via AdminSDHolder so you need to
modify the permissions on the AdminSDHolder object in the root domain. Keep
in mind that doing this will prevent these individuals from resetting the
password for any user that is a member of a group that is protected by
AdminSDHolder and prevent these users from modifying the ACL on any user that
is a member of the AdminSDHolder group. You need to decide whether this is
feasible based on your delegation requirements. If you decide that this is
feasible, this is something you can TEST. Remember, these are pretty serious
changes, so test the heck out of it in your environment before implementing
it into production.
1) Create a group in your root domain (call it whatever you want, but I'll
refer to it as "Restricted Admins")
2) Modify the AdminSDHolder in your root domain as follows:
- Deny the Restricted Admins group the Reset Password permission
- Deny the Restricted Admins group the Write Permissions permission
You can view the following for more information on modifying AdminSDHolder
permissions.
--
John Policelli
Blog: http://johnpolicelli.wordpress.com
This posting is provided "AS IS" with no warranties and confers no rights!
Always test before proceeding.
"Taz1972" wrote:
Hello,
I administer a server 2003 AD domain which spans many sites across the
globe. Problem is there are too many people who knew the root administrator
password (which contains enterprise admin rights), so I decided to change the
password. I then gave the other admins new accounts with just domain admin
rights so they have just enough rights to do their jobs. They do not need
enterprise admin rights.
The problem is that the other admins can change the root administrator
password at their leisure, and this is not what I want them to be able to do!
How can I prevent then from changing the password of the root administrator
account? Is there a registry hack or GPO setting that can do this? Is this
even possible to prevent?
Hopefully there is some way to solve this, and I would greatly appreciate
your quick advise.
Thank you,
Admin
- References:
- Prevent changes to Administrator password
- From: Taz1972
- RE: Prevent changes to Administrator password
- From: John Policelli [MVP - DS]
- Prevent changes to Administrator password
- Prev by Date: RE: Prevent changes to Administrator password
- Next by Date: Re: No logons if ONE DC is down?
- Previous by thread: RE: Prevent changes to Administrator password
- Next by thread: Re: Prevent changes to Administrator password
- Index(es):
Relevant Pages
|
Loading
