Solved

I can't set domain admin accounts so that the user cannot change the password

Posted on 2014-01-14
2
1,258 Views
Last Modified: 2014-01-14
Hello AD Experts,

We have several generic accounts that are being used as service accounts on our domain.  A hand full of these accounts are domain admin accounts (I know this is not a good configuration, but I have to work with it for the time being).  Any ways, I want to set these accounts up so that a user that logs in with the account cannot change the password.  I have tried setting the 'User cannot change password' attribute in Active Directory Users and Computers, but 30 minutes after I select this attribute, something is deselecting it.  I have looked through our GPOs for something that would be deselecting the attribute, but I have not found anything (but I could be looking in the wrong place).  My questions are these:
   1.  What could be causing my selection of this attribute to revert back to the unselected state?

   2.  How can I configure these accounts so that the user cannot change the password?

Thanks in advance for your help.

Nick
0
Comment
Question by:ndalmolin_13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 39779861
Why do you need to have a service account as a domain admin account? I have seen situations where a service account needs to have local admin rights to a server, with that said you can create a new Group and use Group Policy Restricted Groups to assign your services accounts local admin access.

As for your issue with "User cannot change password" attribute changing back is due to the account being part of the Domain Admins Group which is a protected group.

The AdminSDHolder scans the protected groups every 1 hour and if changes have been made to these groups they are reverted back. The below link provides more detail.

AdminSDHolder - http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

GPO Restricted Groups can be found at the following location for Group Policy
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Will.
0
 
LVL 1

Author Closing Comment

by:ndalmolin_13
ID: 39780424
Thanks for the link.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question