Re: Prevent changes to Administrator password

Tech-Archive recommends: Fix windows errors by optimizing your registry

John Policelli [MVP - DS] wrote:
I agree with everyone on this post...you should not give DA if you do not trust someone. However, the reality is there are cases where you may need to give DA to someone. Also, just because you do not want them to change the password of the Administrator account in the root domain, does not mean you do not trust them. So I am giving you a potential option to help you mitigate the risk of these individuals changing the password on the RootDomain\Administrator account.

First, you need to understand that permissions on the RootDomain\Administrator account are applied via AdminSDHolder so you need to modify the permissions on the AdminSDHolder object in the root domain. Keep in mind that doing this will prevent these individuals from resetting the password for any user that is a member of a group that is protected by AdminSDHolder and prevent these users from modifying the ACL on any user that is a member of the AdminSDHolder group. You need to decide whether this is feasible based on your delegation requirements. If you decide that this is feasible, this is something you can TEST. Remember, these are pretty serious changes, so test the heck out of it in your environment before implementing it into production.


If you are just having him create a group and modify it using ACLs then if anything goes wrong it can easily be undone by removing the admins from the new group (there are other ways too), right? If so, why label this as a serious change? Did I miss something?

1) Create a group in your root domain (call it whatever you want, but I'll refer to it as "Restricted Admins")
2) Modify the AdminSDHolder in your root domain as follows:
- Deny the Restricted Admins group the Reset Password permission
- Deny the Restricted Admins group the Write Permissions permission

You can view the following for more information on modifying AdminSDHolder permissions.
.

Relevant Pages

  • Re: Prevent changes to Administrator password
    ... By adding the Deny Write Permissions ACE, these individuals will not have the ... permission to modify the ACL on AdminSDHolder. ... modify the permissions on the AdminSDHolder object in the root domain. ... refer to it as "Restricted Admins") ...
    (microsoft.public.windows.server.active_directory)
  • RE: Excel 2007 Modify Permissions Problem.
    ... the file ".xls" I need to have Modify permissions turned on. ... I only need Modify for one file in the top directory. ... the top folder, I end up having modified in all of the sub-folders as well. ... we have around 2000 hyperlinks that all get broken. ...
    (microsoft.public.excel.misc)
  • Re: Access To Access
    ... This is usually a filesystem permissions problem. ... file require Modify permissions for the folder containing the file. ... This email account is my spam trap so I ...
    (microsoft.public.inetserver.asp.db)
  • Re: NTFS Berechtigungen W3K3 SP2
    ... You can modify how Windows Explorer handles permissions when objects are ... Ist halt nur blöd, dass ich das an jedem Client machen muss. ...
    (microsoft.public.de.german.windows.server.general)
  • RE: How to set a "public" directory? (Everyone can add and modify theirown files)
    ... If you chmod the directory o+t, then users can (permissions permitting) ... modify each other's files but not delete them. ...
    (RedHat)