Re: Admin members and passwords

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/28/04 

Date: Sun, 27 Jun 2004 22:12:36 GMT

Thanks Joe. I was not aware of that. --- Steve

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:OYdmTbHXEHA.4020@TK2MSFTNGP09.phx.gbl...
> AdminSDHolder functionality will prevent this from working. He will set it and
> within an hour sdprop will come along and "fix" it.
>
> The answer to this is no. If you can't trust your admins, they shouldn't be admins.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
>
> Steven L Umbach wrote:
> > Ultimately you can not do that. You can however enable auditing of account
management
> > on Domain Controller Security Policy and password resets will show up in the
security
> > log unless the log was erased which would in itself leave an event. Otherwise you
can
> > try this. Go to your user account in AD Users and Computers and in your account
> > properties/security either add yourself as full control and remove all other
> > administrators groups or to be more subtle, just scroll down the list of
permissions
> > and apply "deny" for reset password to the administrators group. Now this will
also
> > prevent your from resetting your password, though you can still change it via
normal
> > ways or remove the deny permission if you do need to reset it. The face that the
> > reset permission is no immediately available until you scroll down the list may
leave
> > some of them scratching their heads assuming they know where to look in the first
> > place. --- Steve
> >
> >
> > "Liam" <anonymous@discussions.microsoft.com> wrote in message
> > news:2136601c45af5$7dfbae30$a601280a@phx.gbl...
> >
> >>Is it possible to prevent other members of domain admins
> >>from changing your own user account password.
> >>
> >>I'm a domain admin user but need to be able to restrict
> >>other domian admin users from accessing my account. is
> >>there an option in account options..?
> >>
> >>Can you hide a user account....I don't think so but
> >>thought I'd ask anyway.
> >>
> >>any ideas would be appreciated.
> >
> >
> >

Relevant Pages

  • Re: Admin members and passwords
    ... If you can't trust your admins, ... Go to your user account in AD Users and Computers and in your account ... > and apply "deny" for reset password to the administrators group. ... > ways or remove the deny permission if you do need to reset it. ...
    (microsoft.public.win2000.security)
  • Re: Any tool to let me narrow down and assing granular permissions
    ... allow reset of pw we need to delegate the task to that user or group wich ... MCSE, MVP Directory Services ... To install software you generally need local admin permission, ... software itself you should only need a normal user account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: VBScript runtime error: 800A0046 Permission denied: GetObject
    ... Can you get it to echo the strDomain, strUserName values? ... Dim SMSNetwork ... "Domain Admins") Then MapLDrive = FALSE ... Directory I need to go to re-establish permission. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem managing accounts in protected groups
    ... For you administrator accounts create an own OU directly under the domain name and place there the domain admin accounts without any restrictions through policies or whatever. ... And create for them a normal domain user account for the daily work with normal restrictions like any other user. ... If now the account under the Administrators OU is locked another one from that OU can easily unlock them without any problem, because they all are domain admins in that OU. ... heard about that someone will give more security permissions to users ...
    (microsoft.public.windows.server.active_directory)
  • Re: Login as local admin
    ... schema admins, enterprise admins and the other groups mentioned, but the ... installing SBS SP1. ... So if i basically ensure that my domain administrator account is a member ... The article does not reference "local" administrator (as far as I ...
    (microsoft.public.windows.server.sbs)