I have a number of windows servers (mostly windows server 2008 ) which are placed in DMZ and are not in the active directory. We use a third-party password management solution for active directory joined servers. The idea is to use one account on each server which is NOT an administrator but has rights to change/reset the password of all other local users on the server including built-in administrator. None of the other users should have permissions to reset/change the password on the server. Any suggestion, such as, local policy, local rights, powershell scripts etc which can help achieve the desired results?
wullieb1 – thanks for your reply. These can be local admin (built in) or otherwise any account which may or may not have membership of local administrators group. I am aware it can be done for active directory and already using this. I am wondering if there is a way (other than using some third party tools even if they exist) to reset password using an account which is not admin, same concept as domain but on local server level. Thanks,