How to manage admin accounts

Giganews Newsgroups
Subject: How to manage admin accounts
Posted by:  Phillip McIntosh (PhillipMcInto…
Date: Sat, 17 Feb 2007

All of our AD/2003 admin groups/user are stored in an Admin container which
is outside the delegated control of our ServiceDesk and Desktop Admin teams.
This is done to prevent them adding other accounts to the admin groups and/or
resetting someone's admin accounting password and using their account.

However, this means that if they lock their admin account out or forget the
password,  they can't unlock the account/reset the pasword.  Nor can the
ServiceDesk or Desktop teams.  Only the AD team can do this for them.
However, the AD team in based in Aus (Melb) and only work normal Melb busines
hours.  With the different timezones across Asia Pac this is becoming an
issue.  i.e. ServiceDesk is follow the sun, AD Team is not - they are only on
call and waking someone in the middle of the night to reset a password for
some Admin in India isn't ideal.

What I'm trying to implement is a way for the ServiceDesk to be able to
unlock the admin accounts and reset the passwords without lessening the
security model we currently have.  Something along the lines of a sub
container off of the Administrators container with delegated control to
unlock accounts.  I'm not sure what to do with the passwords though.  If they
can reset admin users passwords it lessens the security.  If I delegate
change password control (i.e. which means - as I understand it - that they
need to know the current password to be able to change it -  but if they knew
the current password then how did they lock the account out in the first
place) would that work?  Can I delete gate control so an Admin user can only
reset their own password?

I'm sure we are not the first company to face this issue.  Any ideas?