Solved

Can Domain user Unlock Domain admin account after Delegation

Posted on 2014-01-13
14
3,159 Views
Last Modified: 2014-02-07
I have created user group in AD, then I delegated the group to unlock user accounts.
As a test I put one user in domain admins group and type worn password several times to lock him out. I used another user which is member if the group I delegated in order to unlock the account, but it shows greyed out.

http://windowsitpro.com/security/q-how-can-i-delegate-right-unlock-locked-active-directory-ad-user-accounts

followed steps 1 to 9
but I could not get a domain user to unlock account of a Domain Admins user

Apparently even with delegation domain user will not be able to unlock domain admins account.

Any work around this.?

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
14 Comments
 
LVL 18

Accepted Solution

by:
Jeremy Weisinger earned 167 total points
ID: 39778428
All users that are members of protected groups will have their DACLs configured according to the restrictions placed on the groups.

More info: http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

and http://technet.microsoft.com/en-us/library/cc700835.aspx

Excerpt from the second link:
The accounts and groups listed in this table and all members of these groups are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings

So what this boils down to is that the user that unlocks those accounts must also be a domain admin.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 167 total points
ID: 39779007
That right,

Also from logical \ security point of view you should not get delegated access anyhow to unlock, reset password of high privileged accounts such as accounts having membership of domain admins.

Since these groups are responsible for managing entire domain, it make sense to keep those groups out of reach of other standard delegated accounts.

In reality to make this happens MS need to do lot of changes in architecture which will introduce security holes in AD and probably destroy the concept of active directory

Mahesh
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 39780332
Hi.

Why would you need others to unlock that account? The buil-in domain admin "administrator" could be used to unlock others. By default that one will never lock.
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39780988
It doesn't sound like jskfan is talking about the  built-in account, rather members of the Domain Admins group.
0
 

Author Comment

by:jskfan
ID: 39781096
Jeremy Weisinger

correct
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39781477
I had a question: "Why would you need others to unlock that account?"
Because I thought, if those (the other domain admins, not the built-in ones) lock, another admin could reset them at any time using the built-in administrator. And I saw no reason why any user with delegated permissions would need to unlock a domain admin.

So please answer it, so I can understand. :)
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39781489
Totally agreed with Mike, as already stated in earlier comment allowing delegated access to standard users to play with high previleged accounts would break AD security model and that is the reason its not allowed by MS

Mahesh
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39782434
@MkKnife Don't get me wrong, I totally agree with you. And of course the built-in account won't be locked. It's just that I believe the goal was to have non-admin users be able to unlock admin accounts.

And of course the answer is that it can't be done.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39783663
Jeremy, I tried to ask jskfan something. jskfan, still waiting :)
0
 

Author Comment

by:jskfan
ID: 39791172
because we have users in the operations that work 24/7 , and we want them to be called by domain admins to unlock their accounts instead of domain admins wake each other up to unlock the accounts...
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39791230
In that case as stated by MIKE earlier, you can use built-in administrator in active directory to logon to directory server and unlock other domain admins account without issue as that account never get locked

Mahesh
0
 

Author Comment

by:jskfan
ID: 39828210
Sorry for the delay…

Mahesh,

do you mean I need to add users from operation team to builtin Administrators group in AD , then they will be able to unlock Domain Admins accounts?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39828231
NO. Just as "MIKE"=me, McKnife wrote earlier, the account "administrator" is also a domain account and a domain administrator. And that one cannot logout, leaving it free for tasks like unlocking other domain admins. Now clear?
0
 

Author Closing Comment

by:jskfan
ID: 39843374
Thank you
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question