Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows 2003 Server

Posted on 2013-11-05
9
Medium Priority
?
145 Views
Last Modified: 2013-11-21
I have a windows 2003 R2 Std Edition SP2 with a single domain.

I want to know if a member of the Domain Admin is able to change the password of the  Administrator account in the Active Directory
0
Comment
Question by:trevally8
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39626544
Yes that is possible
0
 

Author Comment

by:trevally8
ID: 39626560
Sorry maybe I never phrase it correctly. Actually what I wanted to achieve is that if a user is a member of the Domain Admin, how to prevent this user from changing the Administrator account of the Active Directory.
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39626589
I don't think you can do that. Domain admins can do pretty much everything.
You should make a Domain User and delegate to them only the things the need to be able to do.  (Backups, Printers, Reset passwords on a specific group of users)

http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 37

Expert Comment

by:bbao
ID: 39626596
NO. any member of Domain Admins is able to change the administrator account of the AD. that's by design.

however, you may restrict some user rights using Domain Controller Security Policy. the user rights can be modified under W2K3 are listed here.

User Rights Assignment
http://technet.microsoft.com/en-us/library/cc780182%28v=ws.10%29.aspx

basically, if you don't want a user to do admin jobs, you should not put the user into the Domain Admins group.
0
 

Author Comment

by:trevally8
ID: 39626644
I want a user to be able to perform operations like :

able to join computers to domain
able to install programs on client computers etc

but this user must not be able to change the password of the  following :

active directory Administrator account,Domain Admin account
0
 
LVL 4

Accepted Solution

by:
Haslerct earned 750 total points
ID: 39626684
Hi,



It seem like that user that you created is not mainly for Active Directory administration. You just simply want to have some ID that powerful enough to join PC to domain, able to install software on PC.

In this case, that user should NOT be a domain admins, reason being, domain admins is so powerful that can do anything/everything.

I suggest you to the following:
1. Create a normal domain user account.
2. Use domain GPO, and allow this new user to have permission on "Add workstations to domain"
      - This will allow this account to join PC to domain.

3. For install software on the PC, you need to be an administrators of the PC, what you can do is use GPO "Restricted Group" to add this particular user into the PC local administrators group.
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Thanks
0
 
LVL 37

Expert Comment

by:bbao
ID: 39627472
able to join computers to domain

create a new regular user.

1, give this right to the user "Add workstations to domain". http://technet.microsoft.com/en-us/library/cc780195%28v=ws.10%29.aspx

2. assign the user as *local* Administrators (not Domain Admins).
0
 

Author Comment

by:trevally8
ID: 39629044
thanks for the follow up thus far.

this user i want to create is mainly for Active Directory administration

eg

join domain
install programs on client side
assign rights
create/delete users

But this user must not be able to change the password of the  following :

active directory Administrator account,Domain Admin account
0
 
LVL 4

Expert Comment

by:Haslerct
ID: 39629086
You can use delegation to create user/delete user/etc... Bottomline... Delegate anything u want to this user... But don't assign as domain admins, coz domain admin can reset password of other domain admins.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

1. Boot PC and press F10, select storage options and change the compatibility from “AHCI” to “IDE”, save and exit 2. Boot PC and press F12 3. Upon PXE display of searching for DHCP server, press Pause break to obtain MAC address 3. Open Configu…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question