Solved

Can Domain user Unlock Domain admin account after Delegation

Posted on 2014-01-13
14
3,222 Views
Last Modified: 2014-02-07
I have created user group in AD, then I delegated the group to unlock user accounts.
As a test I put one user in domain admins group and type worn password several times to lock him out. I used another user which is member if the group I delegated in order to unlock the account, but it shows greyed out.

http://windowsitpro.com/security/q-how-can-i-delegate-right-unlock-locked-active-directory-ad-user-accounts

followed steps 1 to 9
but I could not get a domain user to unlock account of a Domain Admins user

Apparently even with delegation domain user will not be able to unlock domain admins account.

Any work around this.?

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
14 Comments
 
LVL 18

Accepted Solution

by:
Jeremy Weisinger earned 167 total points
ID: 39778428
All users that are members of protected groups will have their DACLs configured according to the restrictions placed on the groups.

More info: http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

and http://technet.microsoft.com/en-us/library/cc700835.aspx

Excerpt from the second link:
The accounts and groups listed in this table and all members of these groups are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings

So what this boils down to is that the user that unlocks those accounts must also be a domain admin.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 167 total points
ID: 39779007
That right,

Also from logical \ security point of view you should not get delegated access anyhow to unlock, reset password of high privileged accounts such as accounts having membership of domain admins.

Since these groups are responsible for managing entire domain, it make sense to keep those groups out of reach of other standard delegated accounts.

In reality to make this happens MS need to do lot of changes in architecture which will introduce security holes in AD and probably destroy the concept of active directory

Mahesh
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 39780332
Hi.

Why would you need others to unlock that account? The buil-in domain admin "administrator" could be used to unlock others. By default that one will never lock.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39780988
It doesn't sound like jskfan is talking about the  built-in account, rather members of the Domain Admins group.
0
 

Author Comment

by:jskfan
ID: 39781096
Jeremy Weisinger

correct
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39781477
I had a question: "Why would you need others to unlock that account?"
Because I thought, if those (the other domain admins, not the built-in ones) lock, another admin could reset them at any time using the built-in administrator. And I saw no reason why any user with delegated permissions would need to unlock a domain admin.

So please answer it, so I can understand. :)
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39781489
Totally agreed with Mike, as already stated in earlier comment allowing delegated access to standard users to play with high previleged accounts would break AD security model and that is the reason its not allowed by MS

Mahesh
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39782434
@MkKnife Don't get me wrong, I totally agree with you. And of course the built-in account won't be locked. It's just that I believe the goal was to have non-admin users be able to unlock admin accounts.

And of course the answer is that it can't be done.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39783663
Jeremy, I tried to ask jskfan something. jskfan, still waiting :)
0
 

Author Comment

by:jskfan
ID: 39791172
because we have users in the operations that work 24/7 , and we want them to be called by domain admins to unlock their accounts instead of domain admins wake each other up to unlock the accounts...
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39791230
In that case as stated by MIKE earlier, you can use built-in administrator in active directory to logon to directory server and unlock other domain admins account without issue as that account never get locked

Mahesh
0
 

Author Comment

by:jskfan
ID: 39828210
Sorry for the delay…

Mahesh,

do you mean I need to add users from operation team to builtin Administrators group in AD , then they will be able to unlock Domain Admins accounts?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39828231
NO. Just as "MIKE"=me, McKnife wrote earlier, the account "administrator" is also a domain account and a domain administrator. And that one cannot logout, leaving it free for tasks like unlocking other domain admins. Now clear?
0
 

Author Closing Comment

by:jskfan
ID: 39843374
Thank you
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question