Create Domain Admin account with account admin rights only

Bash used Ask the Experts™
I have been asked to look into creating an emergency account that has the permissions to reset passwords\enable\disable on Domain Admin level accounts but only that - no RDP, logging on rights etc.

I have a Service Desk group that has been delegated rights in AD where necessary but as they are not DAs, cannot reset DA accounts. I know of the adminSDHolder flag attribute and would rather not remove this from DA accounts as it's implemented by design and is a layer of protection for DA accounts.

I know of GPO settings that can be used to prevent interactive logons but wouldn't that be overridden by an account with DA rights?

So, is there a way to achieve all this?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Technical Specialist
Awarded 2017
Distinguished Expert 2018
The correct process for such an emergency account is to take the built-in Administrator account, set a super complex password on it and put that in a lockbox. The same applies to the DSRM password.
After it is used, reset password and store again.

The only way that I can think of to achieve the above is to give it DA rights and explicitly deny login, directory etc. rights

The DA account will always have a way around this
Distinguished Expert 2018

Infact you cannot remove adminsHolder protection from DA accounts
If you tried to do so, definitely you will break something
If you put restrictions through GPO, domain admin ID can change GPO settings if wanted to
What is your requirement is actually not needed
what you can do, keep built-in administrator account disabled for security purpose and enable it only when you really required it, like all your other domain admins are locked out / disabled or even deleted

Else you can follow below setup
Hi Bash

its possible.

You can actually create a user for that, then right click on the OU (Organizational Unit) where al the users are in and "delegate Control", select the user you created. and the DELETGATE what that user should be able to do. remove any permissions other than guest for that user.
"Reset user passwords and force password change at next logon" should be the thing you choose.

the install AD mmc on their computer, they need to open the AD MMC as this user...

I just re-read your question and may misunderstand you ab bit...yes, you need to do it the way "Shaun" described...I don't see any other solution than that if you dont want to "break" some security that menat not to be breaked, but would work.


Thanks - That confirms my suspicions.

I'l lelave the q open for the rest of the week and if no additional info is received will distribute points accordingly.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial