Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

I can't set domain admin accounts so that the user cannot change the password

Posted on 2014-01-14
2
Medium Priority
?
1,292 Views
Last Modified: 2014-01-14
Hello AD Experts,

We have several generic accounts that are being used as service accounts on our domain.  A hand full of these accounts are domain admin accounts (I know this is not a good configuration, but I have to work with it for the time being).  Any ways, I want to set these accounts up so that a user that logs in with the account cannot change the password.  I have tried setting the 'User cannot change password' attribute in Active Directory Users and Computers, but 30 minutes after I select this attribute, something is deselecting it.  I have looked through our GPOs for something that would be deselecting the attribute, but I have not found anything (but I could be looking in the wrong place).  My questions are these:
   1.  What could be causing my selection of this attribute to revert back to the unselected state?

   2.  How can I configure these accounts so that the user cannot change the password?

Thanks in advance for your help.

Nick
0
Comment
Question by:ndalmolin_13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 39779861
Why do you need to have a service account as a domain admin account? I have seen situations where a service account needs to have local admin rights to a server, with that said you can create a new Group and use Group Policy Restricted Groups to assign your services accounts local admin access.

As for your issue with "User cannot change password" attribute changing back is due to the account being part of the Domain Admins Group which is a protected group.

The AdminSDHolder scans the protected groups every 1 hour and if changes have been made to these groups they are reverted back. The below link provides more detail.

AdminSDHolder - http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

GPO Restricted Groups can be found at the following location for Group Policy
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Will.
0
 
LVL 1

Author Closing Comment

by:ndalmolin_13
ID: 39780424
Thanks for the link.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question