trevally8
asked on
Windows 2003 Server
I have a windows 2003 R2 Std Edition SP2 with a single domain.
I want to know if a member of the Domain Admin is able to change the password of the Administrator account in the Active Directory
I want to know if a member of the Domain Admin is able to change the password of the Administrator account in the Active Directory
Yes that is possible
ASKER
Sorry maybe I never phrase it correctly. Actually what I wanted to achieve is that if a user is a member of the Domain Admin, how to prevent this user from changing the Administrator account of the Active Directory.
I don't think you can do that. Domain admins can do pretty much everything.
You should make a Domain User and delegate to them only the things the need to be able to do. (Backups, Printers, Reset passwords on a specific group of users)
http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
You should make a Domain User and delegate to them only the things the need to be able to do. (Backups, Printers, Reset passwords on a specific group of users)
http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
NO. any member of Domain Admins is able to change the administrator account of the AD. that's by design.
however, you may restrict some user rights using Domain Controller Security Policy. the user rights can be modified under W2K3 are listed here.
User Rights Assignment
http://technet.microsoft.com/en-us/library/cc780182%28v=ws.10%29.aspx
basically, if you don't want a user to do admin jobs, you should not put the user into the Domain Admins group.
however, you may restrict some user rights using Domain Controller Security Policy. the user rights can be modified under W2K3 are listed here.
User Rights Assignment
http://technet.microsoft.com/en-us/library/cc780182%28v=ws.10%29.aspx
basically, if you don't want a user to do admin jobs, you should not put the user into the Domain Admins group.
ASKER
I want a user to be able to perform operations like :
able to join computers to domain
able to install programs on client computers etc
but this user must not be able to change the password of the following :
active directory Administrator account,Domain Admin account
able to join computers to domain
able to install programs on client computers etc
but this user must not be able to change the password of the following :
active directory Administrator account,Domain Admin account
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
able to join computers to domain
create a new regular user.
1, give this right to the user "Add workstations to domain". http://technet.microsoft.com/en-us/library/cc780195%28v=ws.10%29.aspx
2. assign the user as *local* Administrators (not Domain Admins).
ASKER
thanks for the follow up thus far.
this user i want to create is mainly for Active Directory administration
eg
join domain
install programs on client side
assign rights
create/delete users
But this user must not be able to change the password of the following :
active directory Administrator account,Domain Admin account
this user i want to create is mainly for Active Directory administration
eg
join domain
install programs on client side
assign rights
create/delete users
But this user must not be able to change the password of the following :
active directory Administrator account,Domain Admin account
You can use delegation to create user/delete user/etc... Bottomline... Delegate anything u want to this user... But don't assign as domain admins, coz domain admin can reset password of other domain admins.