Announcement

Collapse
No announcement yet.

Reset password permissions to domain admins

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Reset password permissions to domain admins

    How can I grant permissions for a specific group to make password reset to domain admins accounts?

    Thanks.

  • #2
    Delegated permissions on whatever OU contains the accounts
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Originally posted by mariag View Post
      How can I grant permissions for a specific group to make password reset to domain admins accounts?

      Thanks.
      Only domain admins should be able to do this. Otherwise you're giving whoever can reset the password the ability to logon with those admins' credentials.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        I created a group called IT admins and made delegation for all the OUs with all relevant permissions (unlock account \ reset password etc).
        Still users in this group are unable to unlock accounts \ reset passwords for some users and users inside the IT admins group.
        All users are in the same ou.

        Comment


        • #5
          Again, only domain admins should be able to do this. There are protected groups in active directory. When you place a user in these protected groups, it changes the permissions on their object.
          https://technet.microsoft.com/en-us/.../dn466518.aspx
          https://technet.microsoft.com/en-us/...minholder.aspx
          These two articles explain what is going on and why what you're trying to do won't work. To be able to reset a domain admin's password, the user must be a domain admin. Period.
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment

          Working...
          X