?
Solved

Can Domain user Unlock Domain admin account after Delegation

Posted on 2014-01-13
14
Medium Priority
?
3,357 Views
Last Modified: 2014-02-07
I have created user group in AD, then I delegated the group to unlock user accounts.
As a test I put one user in domain admins group and type worn password several times to lock him out. I used another user which is member if the group I delegated in order to unlock the account, but it shows greyed out.

http://windowsitpro.com/security/q-how-can-i-delegate-right-unlock-locked-active-directory-ad-user-accounts

followed steps 1 to 9
but I could not get a domain user to unlock account of a Domain Admins user

Apparently even with delegation domain user will not be able to unlock domain admins account.

Any work around this.?

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
14 Comments
 
LVL 19

Accepted Solution

by:
Jeremy Weisinger earned 668 total points
ID: 39778428
All users that are members of protected groups will have their DACLs configured according to the restrictions placed on the groups.

More info: http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

and http://technet.microsoft.com/en-us/library/cc700835.aspx

Excerpt from the second link:
The accounts and groups listed in this table and all members of these groups are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings

So what this boils down to is that the user that unlocks those accounts must also be a domain admin.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 668 total points
ID: 39779007
That right,

Also from logical \ security point of view you should not get delegated access anyhow to unlock, reset password of high privileged accounts such as accounts having membership of domain admins.

Since these groups are responsible for managing entire domain, it make sense to keep those groups out of reach of other standard delegated accounts.

In reality to make this happens MS need to do lot of changes in architecture which will introduce security holes in AD and probably destroy the concept of active directory

Mahesh
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 664 total points
ID: 39780332
Hi.

Why would you need others to unlock that account? The buil-in domain admin "administrator" could be used to unlock others. By default that one will never lock.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 19

Expert Comment

by:Jeremy Weisinger
ID: 39780988
It doesn't sound like jskfan is talking about the  built-in account, rather members of the Domain Admins group.
0
 

Author Comment

by:jskfan
ID: 39781096
Jeremy Weisinger

correct
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39781477
I had a question: "Why would you need others to unlock that account?"
Because I thought, if those (the other domain admins, not the built-in ones) lock, another admin could reset them at any time using the built-in administrator. And I saw no reason why any user with delegated permissions would need to unlock a domain admin.

So please answer it, so I can understand. :)
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39781489
Totally agreed with Mike, as already stated in earlier comment allowing delegated access to standard users to play with high previleged accounts would break AD security model and that is the reason its not allowed by MS

Mahesh
0
 
LVL 19

Expert Comment

by:Jeremy Weisinger
ID: 39782434
@MkKnife Don't get me wrong, I totally agree with you. And of course the built-in account won't be locked. It's just that I believe the goal was to have non-admin users be able to unlock admin accounts.

And of course the answer is that it can't be done.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39783663
Jeremy, I tried to ask jskfan something. jskfan, still waiting :)
0
 

Author Comment

by:jskfan
ID: 39791172
because we have users in the operations that work 24/7 , and we want them to be called by domain admins to unlock their accounts instead of domain admins wake each other up to unlock the accounts...
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39791230
In that case as stated by MIKE earlier, you can use built-in administrator in active directory to logon to directory server and unlock other domain admins account without issue as that account never get locked

Mahesh
0
 

Author Comment

by:jskfan
ID: 39828210
Sorry for the delay…

Mahesh,

do you mean I need to add users from operation team to builtin Administrators group in AD , then they will be able to unlock Domain Admins accounts?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39828231
NO. Just as "MIKE"=me, McKnife wrote earlier, the account "administrator" is also a domain account and a domain administrator. And that one cannot logout, leaving it free for tasks like unlocking other domain admins. Now clear?
0
 

Author Closing Comment

by:jskfan
ID: 39843374
Thank you
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month12 days, 2 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question