General discussion

  • Creator
    Topic
  • #2257329

    AD Setup

    Locked

    by xiaitmb ·

    About to setup a Windows server 2003 DC. Besides the administrator account, would like to setup additional admin related accounts, like admin1, admin2 etc for other administrators.
    (1)
    For admin1, admin2 etc accounts, would like to disable their ability to change the main administrator’s account password. Is it possible? how to?
    (2)
    And also if possible, to limit on some other functions. possible? how to?
    Appreciate guidance.Thanks.

All Comments

  • Author
    Replies
    • #3213170

      Reply To: AD Setup

      by p.j.hutchison ·

      In reply to AD Setup

      1. You can add the new admin accounts to the Security page of the main administrator and set ‘Change password’ right to deny.

      2. Functions can be limited by using groups, users and Security tab features. Use the Delegate access feature in AD Users and Computers as well.

    • #3213152

      Reply To: AD Setup

      by dumphrey ·

      In reply to AD Setup

      Take a look here. http://support.microsoft.com/kb/235531/en-us
      This was for win2k but 2k3 is much the same. Just because you need an “admin” account, that doesnt mean it needs to be an “Admin” account. Create a regualr user account and assign them to objects and containers you need them to manage. Look at the built in security groups to see if they can be of use. If they need actual Administrtive access, just make sure you remain Enterprise admin, and they are not. At best give some domaine admin, but I only do this if they show me thay can navigate AD. Even the owner of my company is a regular user.

Viewing 1 reply thread