Have you tested their ability to reset these accounts? I would guess that they are not able to right now due to the adminsdholder\sdprop.
http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx http://theessentialexchange.com/blogs/michael/archive/2008/10/22/admincount-adminsdholder-sdprop-and-you.aspx On Fri, Nov 18, 2011 at 10:15 AM, Christopher Bodnar < christopher_bod...@glic.com> wrote: > Currently our helpdesk staff have the ability to reset passwords for all > user accounts, including domain admin accounts. Our internal auditors want > us to take away the ability of helpdesk staff to change domain admin > passwords, but not to remove their ability to reset passwords for users in > "protected groups" that's where I'm running into a wall. theoretically if > all the domain admin accounts were in one OU I could do this by revoking > access to that OU, but unfortunately that is not the case and I don't think > it's possible the way things are setup right now (service accounts in > domain admins, etc...). What I'm afraid of is that something will break if > I move those accounts, specifically the service accounts. > > Any thoughts on this? > > > Chris Bodnar, MCSE, MCITP > Technical Support III > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: christopher_bod...@glic.com > Phone: 610-807-6459 > Fax: 610-807-6003 ----------------------------------------- This message, > and any attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
