Solved

I can't set domain admin accounts so that the user cannot change the password

Posted on 2014-01-14
2
1,155 Views
Last Modified: 2014-01-14
Hello AD Experts,

We have several generic accounts that are being used as service accounts on our domain.  A hand full of these accounts are domain admin accounts (I know this is not a good configuration, but I have to work with it for the time being).  Any ways, I want to set these accounts up so that a user that logs in with the account cannot change the password.  I have tried setting the 'User cannot change password' attribute in Active Directory Users and Computers, but 30 minutes after I select this attribute, something is deselecting it.  I have looked through our GPOs for something that would be deselecting the attribute, but I have not found anything (but I could be looking in the wrong place).  My questions are these:
   1.  What could be causing my selection of this attribute to revert back to the unselected state?

   2.  How can I configure these accounts so that the user cannot change the password?

Thanks in advance for your help.

Nick
0
Comment
Question by:ndalmolin_13
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
Comment Utility
Why do you need to have a service account as a domain admin account? I have seen situations where a service account needs to have local admin rights to a server, with that said you can create a new Group and use Group Policy Restricted Groups to assign your services accounts local admin access.

As for your issue with "User cannot change password" attribute changing back is due to the account being part of the Domain Admins Group which is a protected group.

The AdminSDHolder scans the protected groups every 1 hour and if changes have been made to these groups they are reverted back. The below link provides more detail.

AdminSDHolder - http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

GPO Restricted Groups can be found at the following location for Group Policy
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Will.
0
 
LVL 1

Author Closing Comment

by:ndalmolin_13
Comment Utility
Thanks for the link.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now