I have been asked to look into creating an emergency account that has the permissions to reset passwords\enable\disable on Domain Admin level accounts but only that - no RDP, logging on rights etc.
I have a Service Desk group that has been delegated rights in AD where necessary but as they are not DAs, cannot reset DA accounts. I know of the adminSDHolder flag attribute and would rather not remove this from DA accounts as it's implemented by design and is a layer of protection for DA accounts.
I know of GPO settings that can be used to prevent interactive logons but wouldn't that be overridden by an account with DA rights?
So, is there a way to achieve all this?