We would like to lock a couple of accounts to prevent even domain admins from resetting the password without already knowing the current password. From what I can see in the permission sets, this looks possible. Anything I've found on the subject recommends against altering default permissions, but doesn't go into detail why.
Assuming that domain admin retains the ability to reset passwords without knowing current passwords is it reasonable to prevent password resets on the domain admin account and maybe a couple of others? If not, why not?
-
It should be possible with ADSI edit. (I know you know, but: Be careful with ADSI Edit).
But the real problem here is that you have to be able to trust the "Domain Admins". If you can't trust them with resetting passwords on important accounts, how can you trust them not to format the DCs?
If you want to keep some accounts Special, move them into an OU and call it "ImportantAccounts" and tell all your domain admins not reset these passwords!
You can however centralise security auditing and keep track of who reset which password if you want to apportion blame after the fact.
Ron Porter : First of all, ADSI edit is off limits! Second, trust would seem to be at the heart of the issue. In most areas, I like to work with a 'trust but verify' model. That suggests that we should leave things as they are, but adding proper auditing and reporting.Ron Porter : John Gardinier's comment to my question addresses the technical reasons why this tactic cannot succeed and this answer raises valid concerns over the organization reasons for developing this strategy. If the two were merged into one answer, that would be ideal, but this is the only actual answer and problem has been fully addressed to my satisfaction.Seanchán Torpéist : On a note about trust: We had summer students in here installing software on PCs and we made them normal "Domain Users" but put the "Interns" group into "Local Admins" of each desktop PC using a script. So they could mess with normal PCs but couldn't log into Servers or use AD.From Seanchán Torpéist
0 comments:
Post a Comment