?
Solved

I can't set domain admin accounts so that the user cannot change the password

Posted on 2014-01-14
2
Medium Priority
?
1,273 Views
Last Modified: 2014-01-14
Hello AD Experts,

We have several generic accounts that are being used as service accounts on our domain.  A hand full of these accounts are domain admin accounts (I know this is not a good configuration, but I have to work with it for the time being).  Any ways, I want to set these accounts up so that a user that logs in with the account cannot change the password.  I have tried setting the 'User cannot change password' attribute in Active Directory Users and Computers, but 30 minutes after I select this attribute, something is deselecting it.  I have looked through our GPOs for something that would be deselecting the attribute, but I have not found anything (but I could be looking in the wrong place).  My questions are these:
   1.  What could be causing my selection of this attribute to revert back to the unselected state?

   2.  How can I configure these accounts so that the user cannot change the password?

Thanks in advance for your help.

Nick
0
Comment
Question by:ndalmolin_13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 39779861
Why do you need to have a service account as a domain admin account? I have seen situations where a service account needs to have local admin rights to a server, with that said you can create a new Group and use Group Policy Restricted Groups to assign your services accounts local admin access.

As for your issue with "User cannot change password" attribute changing back is due to the account being part of the Domain Admins Group which is a protected group.

The AdminSDHolder scans the protected groups every 1 hour and if changes have been made to these groups they are reverted back. The below link provides more detail.

AdminSDHolder - http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

GPO Restricted Groups can be found at the following location for Group Policy
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Will.
0
 
LVL 1

Author Closing Comment

by:ndalmolin_13
ID: 39780424
Thanks for the link.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question