Create Domain Admin account with account admin rights only

I have been asked to look into creating an emergency account that has the permissions to reset passwords\enable\disable on Domain Admin level accounts but only that - no RDP, logging on rights etc.

I have a Service Desk group that has been delegated rights in AD where necessary but as they are not DAs, cannot reset DA accounts. I know of the adminSDHolder flag attribute and would rather not remove this from DA accounts as it's implemented by design and is a layer of protection for DA accounts.

I know of GPO settings that can be used to prevent interactive logons but wouldn't that be overridden by an account with DA rights?

So, is there a way to achieve all this?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical Specialist/DeveloperCommented:
The correct process for such an emergency account is to take the built-in Administrator account, set a super complex password on it and put that in a lockbox. The same applies to the DSRM password.
After it is used, reset password and store again.

The only way that I can think of to achieve the above is to give it DA rights and explicitly deny login, directory etc. rights

The DA account will always have a way around this

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Infact you cannot remove adminsHolder protection from DA accounts
If you tried to do so, definitely you will break something
If you put restrictions through GPO, domain admin ID can change GPO settings if wanted to
What is your requirement is actually not needed
what you can do, keep built-in administrator account disabled for security purpose and enable it only when you really required it, like all your other domain admins are locked out / disabled or even deleted

Else you can follow below setup
Thomas UCommented:
Hi Bash

its possible.

You can actually create a user for that, then right click on the OU (Organizational Unit) where al the users are in and "delegate Control", select the user you created. and the DELETGATE what that user should be able to do. remove any permissions other than guest for that user.
"Reset user passwords and force password change at next logon" should be the thing you choose.

the install AD mmc on their computer, they need to open the AD MMC as this user...

Thomas UCommented:
I just re-read your question and may misunderstand you ab bit...yes, you need to do it the way "Shaun" described...I don't see any other solution than that if you dont want to "break" some security that menat not to be breaked, but would work.
BashContractorAuthor Commented:
Thanks - That confirms my suspicions.

I'l lelave the q open for the rest of the week and if no additional info is received will distribute points accordingly.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.