Solved

Windows 2003 Server

Posted on 2013-11-05
9
123 Views
Last Modified: 2013-11-21
I have a windows 2003 R2 Std Edition SP2 with a single domain.

I want to know if a member of the Domain Admin is able to change the password of the  Administrator account in the Active Directory
0
Comment
Question by:trevally8
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39626544
Yes that is possible
0
 

Author Comment

by:trevally8
ID: 39626560
Sorry maybe I never phrase it correctly. Actually what I wanted to achieve is that if a user is a member of the Domain Admin, how to prevent this user from changing the Administrator account of the Active Directory.
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39626589
I don't think you can do that. Domain admins can do pretty much everything.
You should make a Domain User and delegate to them only the things the need to be able to do.  (Backups, Printers, Reset passwords on a specific group of users)

http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 39626596
NO. any member of Domain Admins is able to change the administrator account of the AD. that's by design.

however, you may restrict some user rights using Domain Controller Security Policy. the user rights can be modified under W2K3 are listed here.

User Rights Assignment
http://technet.microsoft.com/en-us/library/cc780182%28v=ws.10%29.aspx

basically, if you don't want a user to do admin jobs, you should not put the user into the Domain Admins group.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:trevally8
ID: 39626644
I want a user to be able to perform operations like :

able to join computers to domain
able to install programs on client computers etc

but this user must not be able to change the password of the  following :

active directory Administrator account,Domain Admin account
0
 
LVL 4

Accepted Solution

by:
Haslerct earned 250 total points
ID: 39626684
Hi,



It seem like that user that you created is not mainly for Active Directory administration. You just simply want to have some ID that powerful enough to join PC to domain, able to install software on PC.

In this case, that user should NOT be a domain admins, reason being, domain admins is so powerful that can do anything/everything.

I suggest you to the following:
1. Create a normal domain user account.
2. Use domain GPO, and allow this new user to have permission on "Add workstations to domain"
      - This will allow this account to join PC to domain.

3. For install software on the PC, you need to be an administrators of the PC, what you can do is use GPO "Restricted Group" to add this particular user into the PC local administrators group.
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Thanks
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 39627472
able to join computers to domain

create a new regular user.

1, give this right to the user "Add workstations to domain". http://technet.microsoft.com/en-us/library/cc780195%28v=ws.10%29.aspx

2. assign the user as *local* Administrators (not Domain Admins).
0
 

Author Comment

by:trevally8
ID: 39629044
thanks for the follow up thus far.

this user i want to create is mainly for Active Directory administration

eg

join domain
install programs on client side
assign rights
create/delete users

But this user must not be able to change the password of the  following :

active directory Administrator account,Domain Admin account
0
 
LVL 4

Expert Comment

by:Haslerct
ID: 39629086
You can use delegation to create user/delete user/etc... Bottomline... Delegate anything u want to this user... But don't assign as domain admins, coz domain admin can reset password of other domain admins.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Remote Desktop Protocol or RDP has become an essential tool in many offices. This article will show you how to set up an external IP to point directly to an RDP session. There are many reasons why this is beneficial but perhaps the top reason is con…
This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now