Solved

Windows 2003 Server

Posted on 2013-11-05
9
132 Views
Last Modified: 2013-11-21
I have a windows 2003 R2 Std Edition SP2 with a single domain.

I want to know if a member of the Domain Admin is able to change the password of the  Administrator account in the Active Directory
0
Comment
Question by:trevally8
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39626544
Yes that is possible
0
 

Author Comment

by:trevally8
ID: 39626560
Sorry maybe I never phrase it correctly. Actually what I wanted to achieve is that if a user is a member of the Domain Admin, how to prevent this user from changing the Administrator account of the Active Directory.
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39626589
I don't think you can do that. Domain admins can do pretty much everything.
You should make a Domain User and delegate to them only the things the need to be able to do.  (Backups, Printers, Reset passwords on a specific group of users)

http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 
LVL 37

Expert Comment

by:bbao
ID: 39626596
NO. any member of Domain Admins is able to change the administrator account of the AD. that's by design.

however, you may restrict some user rights using Domain Controller Security Policy. the user rights can be modified under W2K3 are listed here.

User Rights Assignment
http://technet.microsoft.com/en-us/library/cc780182%28v=ws.10%29.aspx

basically, if you don't want a user to do admin jobs, you should not put the user into the Domain Admins group.
0
 

Author Comment

by:trevally8
ID: 39626644
I want a user to be able to perform operations like :

able to join computers to domain
able to install programs on client computers etc

but this user must not be able to change the password of the  following :

active directory Administrator account,Domain Admin account
0
 
LVL 4

Accepted Solution

by:
Haslerct earned 250 total points
ID: 39626684
Hi,



It seem like that user that you created is not mainly for Active Directory administration. You just simply want to have some ID that powerful enough to join PC to domain, able to install software on PC.

In this case, that user should NOT be a domain admins, reason being, domain admins is so powerful that can do anything/everything.

I suggest you to the following:
1. Create a normal domain user account.
2. Use domain GPO, and allow this new user to have permission on "Add workstations to domain"
      - This will allow this account to join PC to domain.

3. For install software on the PC, you need to be an administrators of the PC, what you can do is use GPO "Restricted Group" to add this particular user into the PC local administrators group.
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Thanks
0
 
LVL 37

Expert Comment

by:bbao
ID: 39627472
able to join computers to domain

create a new regular user.

1, give this right to the user "Add workstations to domain". http://technet.microsoft.com/en-us/library/cc780195%28v=ws.10%29.aspx

2. assign the user as *local* Administrators (not Domain Admins).
0
 

Author Comment

by:trevally8
ID: 39629044
thanks for the follow up thus far.

this user i want to create is mainly for Active Directory administration

eg

join domain
install programs on client side
assign rights
create/delete users

But this user must not be able to change the password of the  following :

active directory Administrator account,Domain Admin account
0
 
LVL 4

Expert Comment

by:Haslerct
ID: 39629086
You can use delegation to create user/delete user/etc... Bottomline... Delegate anything u want to this user... But don't assign as domain admins, coz domain admin can reset password of other domain admins.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My previous article  (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html)detailed one possible method to get SCCM 2007 installed an…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question