I can't set domain admin accounts so that the user cannot change the password
Posted on 2014-01-14
Hello AD Experts,
We have several generic accounts that are being used as service accounts on our domain. A hand full of these accounts are domain admin accounts (I know this is not a good configuration, but I have to work with it for the time being). Any ways, I want to set these accounts up so that a user that logs in with the account cannot change the password. I have tried setting the 'User cannot change password' attribute in Active Directory Users and Computers, but 30 minutes after I select this attribute, something is deselecting it. I have looked through our GPOs for something that would be deselecting the attribute, but I have not found anything (but I could be looking in the wrong place). My questions are these:
1. What could be causing my selection of this attribute to revert back to the unselected state?
2. How can I configure these accounts so that the user cannot change the password?
Thanks in advance for your help.