• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1304
  • Last Modified:

I can't set domain admin accounts so that the user cannot change the password

Hello AD Experts,

We have several generic accounts that are being used as service accounts on our domain.  A hand full of these accounts are domain admin accounts (I know this is not a good configuration, but I have to work with it for the time being).  Any ways, I want to set these accounts up so that a user that logs in with the account cannot change the password.  I have tried setting the 'User cannot change password' attribute in Active Directory Users and Computers, but 30 minutes after I select this attribute, something is deselecting it.  I have looked through our GPOs for something that would be deselecting the attribute, but I have not found anything (but I could be looking in the wrong place).  My questions are these:
   1.  What could be causing my selection of this attribute to revert back to the unselected state?

   2.  How can I configure these accounts so that the user cannot change the password?

Thanks in advance for your help.

Nick
0
ndalmolin_13
Asked:
ndalmolin_13
1 Solution
 
Will SzymkowskiSenior Solution ArchitectCommented:
Why do you need to have a service account as a domain admin account? I have seen situations where a service account needs to have local admin rights to a server, with that said you can create a new Group and use Group Policy Restricted Groups to assign your services accounts local admin access.

As for your issue with "User cannot change password" attribute changing back is due to the account being part of the Domain Admins Group which is a protected group.

The AdminSDHolder scans the protected groups every 1 hour and if changes have been made to these groups they are reverted back. The below link provides more detail.

AdminSDHolder - http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

GPO Restricted Groups can be found at the following location for Group Policy
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Will.
0
 
ndalmolin_13Author Commented:
Thanks for the link.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now