We help IT Professionals succeed at work.

Password Protect Domain Admin Account

I was told that there is a way to change the Domain admin account in Windows and then configure it that even if another user has domain admin privleges - the password still can not be changed.

Does anybody know if this possible or how to do it?
Watch Question

Actually, if you do not trust a user, you’d better not make him a domain administrator.
From : http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/7606aaf0-6636-419c-a7ee-2c56a457fe98

Run ACLDiag.exe to diagnose and check for discrepancies in the permissions of the objects in AD where you gave explicit deny rights (to change password) on Domain Admin B.


Or you can use the same tool to modify the AdminSDHolder container object (you can use DSACLS.exe for this), which is a built-in container object for each Active Directory domain that has a specific access control list (ACL) set on it: