Can Domain user Unlock Domain admin account after Delegation

I have created user group in AD, then I delegated the group to unlock user accounts.
As a test I put one user in domain admins group and type worn password several times to lock him out. I used another user which is member if the group I delegated in order to unlock the account, but it shows greyed out.

http://windowsitpro.com/security/q-how-can-i-delegate-right-unlock-locked-active-directory-ad-user-accounts

followed steps 1 to 9
but I could not get a domain user to unlock account of a Domain Admins user

Apparently even with delegation domain user will not be able to unlock domain admins account.

Any work around this.?

Thanks
jskfanAsked:
Who is Participating?
 
Jeremy WeisingerConnect With a Mentor Senior Network Consultant / EngineerCommented:
All users that are members of protected groups will have their DACLs configured according to the restrictions placed on the groups.

More info: http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

and http://technet.microsoft.com/en-us/library/cc700835.aspx

Excerpt from the second link:
The accounts and groups listed in this table and all members of these groups are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings

So what this boils down to is that the user that unlocks those accounts must also be a domain admin.
0
 
MaheshConnect With a Mentor ArchitectCommented:
That right,

Also from logical \ security point of view you should not get delegated access anyhow to unlock, reset password of high privileged accounts such as accounts having membership of domain admins.

Since these groups are responsible for managing entire domain, it make sense to keep those groups out of reach of other standard delegated accounts.

In reality to make this happens MS need to do lot of changes in architecture which will introduce security holes in AD and probably destroy the concept of active directory

Mahesh
0
 
McKnifeConnect With a Mentor Commented:
Hi.

Why would you need others to unlock that account? The buil-in domain admin "administrator" could be used to unlock others. By default that one will never lock.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
It doesn't sound like jskfan is talking about the  built-in account, rather members of the Domain Admins group.
0
 
jskfanAuthor Commented:
Jeremy Weisinger

correct
0
 
McKnifeCommented:
I had a question: "Why would you need others to unlock that account?"
Because I thought, if those (the other domain admins, not the built-in ones) lock, another admin could reset them at any time using the built-in administrator. And I saw no reason why any user with delegated permissions would need to unlock a domain admin.

So please answer it, so I can understand. :)
0
 
MaheshArchitectCommented:
Totally agreed with Mike, as already stated in earlier comment allowing delegated access to standard users to play with high previleged accounts would break AD security model and that is the reason its not allowed by MS

Mahesh
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
@MkKnife Don't get me wrong, I totally agree with you. And of course the built-in account won't be locked. It's just that I believe the goal was to have non-admin users be able to unlock admin accounts.

And of course the answer is that it can't be done.
0
 
McKnifeCommented:
Jeremy, I tried to ask jskfan something. jskfan, still waiting :)
0
 
jskfanAuthor Commented:
because we have users in the operations that work 24/7 , and we want them to be called by domain admins to unlock their accounts instead of domain admins wake each other up to unlock the accounts...
0
 
MaheshArchitectCommented:
In that case as stated by MIKE earlier, you can use built-in administrator in active directory to logon to directory server and unlock other domain admins account without issue as that account never get locked

Mahesh
0
 
jskfanAuthor Commented:
Sorry for the delay…

Mahesh,

do you mean I need to add users from operation team to builtin Administrators group in AD , then they will be able to unlock Domain Admins accounts?
0
 
McKnifeCommented:
NO. Just as "MIKE"=me, McKnife wrote earlier, the account "administrator" is also a domain account and a domain administrator. And that one cannot logout, leaving it free for tasks like unlocking other domain admins. Now clear?
0
 
jskfanAuthor Commented:
Thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.