Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows 2003 Server

Posted on 2013-11-05
9
Medium Priority
?
143 Views
Last Modified: 2013-11-21
I have a windows 2003 R2 Std Edition SP2 with a single domain.

I want to know if a member of the Domain Admin is able to change the password of the  Administrator account in the Active Directory
0
Comment
Question by:trevally8
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39626544
Yes that is possible
0
 

Author Comment

by:trevally8
ID: 39626560
Sorry maybe I never phrase it correctly. Actually what I wanted to achieve is that if a user is a member of the Domain Admin, how to prevent this user from changing the Administrator account of the Active Directory.
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39626589
I don't think you can do that. Domain admins can do pretty much everything.
You should make a Domain User and delegate to them only the things the need to be able to do.  (Backups, Printers, Reset passwords on a specific group of users)

http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 37

Expert Comment

by:bbao
ID: 39626596
NO. any member of Domain Admins is able to change the administrator account of the AD. that's by design.

however, you may restrict some user rights using Domain Controller Security Policy. the user rights can be modified under W2K3 are listed here.

User Rights Assignment
http://technet.microsoft.com/en-us/library/cc780182%28v=ws.10%29.aspx

basically, if you don't want a user to do admin jobs, you should not put the user into the Domain Admins group.
0
 

Author Comment

by:trevally8
ID: 39626644
I want a user to be able to perform operations like :

able to join computers to domain
able to install programs on client computers etc

but this user must not be able to change the password of the  following :

active directory Administrator account,Domain Admin account
0
 
LVL 4

Accepted Solution

by:
Haslerct earned 750 total points
ID: 39626684
Hi,



It seem like that user that you created is not mainly for Active Directory administration. You just simply want to have some ID that powerful enough to join PC to domain, able to install software on PC.

In this case, that user should NOT be a domain admins, reason being, domain admins is so powerful that can do anything/everything.

I suggest you to the following:
1. Create a normal domain user account.
2. Use domain GPO, and allow this new user to have permission on "Add workstations to domain"
      - This will allow this account to join PC to domain.

3. For install software on the PC, you need to be an administrators of the PC, what you can do is use GPO "Restricted Group" to add this particular user into the PC local administrators group.
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Thanks
0
 
LVL 37

Expert Comment

by:bbao
ID: 39627472
able to join computers to domain

create a new regular user.

1, give this right to the user "Add workstations to domain". http://technet.microsoft.com/en-us/library/cc780195%28v=ws.10%29.aspx

2. assign the user as *local* Administrators (not Domain Admins).
0
 

Author Comment

by:trevally8
ID: 39629044
thanks for the follow up thus far.

this user i want to create is mainly for Active Directory administration

eg

join domain
install programs on client side
assign rights
create/delete users

But this user must not be able to change the password of the  following :

active directory Administrator account,Domain Admin account
0
 
LVL 4

Expert Comment

by:Haslerct
ID: 39629086
You can use delegation to create user/delete user/etc... Bottomline... Delegate anything u want to this user... But don't assign as domain admins, coz domain admin can reset password of other domain admins.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My previous article  (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html)detailed one possible method to get SCCM 2007 installed an…
On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question