Solved

Can Domain user Unlock Domain admin account after Delegation

Posted on 2014-01-13
14
2,863 Views
Last Modified: 2014-02-07
I have created user group in AD, then I delegated the group to unlock user accounts.
As a test I put one user in domain admins group and type worn password several times to lock him out. I used another user which is member if the group I delegated in order to unlock the account, but it shows greyed out.

http://windowsitpro.com/security/q-how-can-i-delegate-right-unlock-locked-active-directory-ad-user-accounts

followed steps 1 to 9
but I could not get a domain user to unlock account of a Domain Admins user

Apparently even with delegation domain user will not be able to unlock domain admins account.

Any work around this.?

Thanks
0
Comment
Question by:jskfan
  • 4
  • 4
  • 3
  • +1
14 Comments
 
LVL 18

Accepted Solution

by:
Jeremy Weisinger earned 167 total points
ID: 39778428
All users that are members of protected groups will have their DACLs configured according to the restrictions placed on the groups.

More info: http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

and http://technet.microsoft.com/en-us/library/cc700835.aspx

Excerpt from the second link:
The accounts and groups listed in this table and all members of these groups are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings

So what this boils down to is that the user that unlocks those accounts must also be a domain admin.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 167 total points
ID: 39779007
That right,

Also from logical \ security point of view you should not get delegated access anyhow to unlock, reset password of high privileged accounts such as accounts having membership of domain admins.

Since these groups are responsible for managing entire domain, it make sense to keep those groups out of reach of other standard delegated accounts.

In reality to make this happens MS need to do lot of changes in architecture which will introduce security holes in AD and probably destroy the concept of active directory

Mahesh
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 39780332
Hi.

Why would you need others to unlock that account? The buil-in domain admin "administrator" could be used to unlock others. By default that one will never lock.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39780988
It doesn't sound like jskfan is talking about the  built-in account, rather members of the Domain Admins group.
0
 

Author Comment

by:jskfan
ID: 39781096
Jeremy Weisinger

correct
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39781477
I had a question: "Why would you need others to unlock that account?"
Because I thought, if those (the other domain admins, not the built-in ones) lock, another admin could reset them at any time using the built-in administrator. And I saw no reason why any user with delegated permissions would need to unlock a domain admin.

So please answer it, so I can understand. :)
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39781489
Totally agreed with Mike, as already stated in earlier comment allowing delegated access to standard users to play with high previleged accounts would break AD security model and that is the reason its not allowed by MS

Mahesh
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39782434
@MkKnife Don't get me wrong, I totally agree with you. And of course the built-in account won't be locked. It's just that I believe the goal was to have non-admin users be able to unlock admin accounts.

And of course the answer is that it can't be done.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39783663
Jeremy, I tried to ask jskfan something. jskfan, still waiting :)
0
 

Author Comment

by:jskfan
ID: 39791172
because we have users in the operations that work 24/7 , and we want them to be called by domain admins to unlock their accounts instead of domain admins wake each other up to unlock the accounts...
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39791230
In that case as stated by MIKE earlier, you can use built-in administrator in active directory to logon to directory server and unlock other domain admins account without issue as that account never get locked

Mahesh
0
 

Author Comment

by:jskfan
ID: 39828210
Sorry for the delay…

Mahesh,

do you mean I need to add users from operation team to builtin Administrators group in AD , then they will be able to unlock Domain Admins accounts?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39828231
NO. Just as "MIKE"=me, McKnife wrote earlier, the account "administrator" is also a domain account and a domain administrator. And that one cannot logout, leaving it free for tasks like unlocking other domain admins. Now clear?
0
 

Author Closing Comment

by:jskfan
ID: 39843374
Thank you
0

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now