General discussion


AD Setup

By xiaitmb ·
About to setup a Windows server 2003 DC. Besides the administrator account, would like to setup additional admin related accounts, like admin1, admin2 etc for other administrators.
For admin1, admin2 etc accounts, would like to disable their ability to change the main administrator's account password. Is it possible? how to?
And also if possible, to limit on some other functions. possible? how to?
Appreciate guidance.Thanks.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by p.j.hutchison In reply to AD Setup

1. You can add the new admin accounts to the Security page of the main administrator and set 'Change password' right to deny.

2. Functions can be limited by using groups, users and Security tab features. Use the Delegate access feature in AD Users and Computers as well.

Collapse -

by Dumphrey In reply to AD Setup

Take a look here.
This was for win2k but 2k3 is much the same. Just because you need an "admin" account, that doesnt mean it needs to be an "Admin" account. Create a regualr user account and assign them to objects and containers you need them to manage. Look at the built in security groups to see if they can be of use. If they need actual Administrtive access, just make sure you remain Enterprise admin, and they are not. At best give some domaine admin, but I only do this if they show me thay can navigate AD. Even the owner of my company is a regular user.

Related Discussions

Related Forums