I am training a new administrator and I have created an Assistant Administrator account in the Domain Admins group. However, as a measure of security, I would like to prevent him from locking-out Administrator. Is it possible to do this?
Asked
Active
Viewed 181 times
1
-
Well, they can't lock out `Administrator` because `Administrator` is immune to the normal lock out policy.. but they can certainly change the password, rename the account, change DSRM passwords, or do far, far worse (potentially irreparable) damage to the environment. As Mark said, giving them domain admin they are completely unrestricted within the domain; you should have complete trust and faith in everyone in that group. – Shane Madden Jan 19 '12 at 16:49
-
1An account named `Assistant Administrator` -- really? Something like `admin-jsmith` or `js-admin` would make more sense. *All* user accounts, including administrative accounts, should be associated with and named after a *single, specific user or service* and should not be "generic" or shared. – Skyhawk Jan 20 '12 at 15:35
1 Answers
5
It's not possible. If you give someone Domain Admin, anything that you put in place can be skirted.
If you don't want this new admin to have unchecked powers right away, then you'll need to take him out of the Domain Admins group. You can make a new group and delegate only what you want him to be able to do to that new group. The Delegation Wizard in ADUC has a lot of predefined tasks available for delegation.
MDMarra
- 100,734
- 32
- 197
- 329