none
How can I deny certain domain admins from toggling the "password never expires" option?

    Question

  • We have a highly distributed forest with domain admins in many different sites.  We have a policy where all passwords have an expiration policy - minus specific service accounts.  The issue is that domain admins have access to toggle this option, and so rather often we find a user with password set to never expire.

    My question is, how can we prevent this from happening?  Is it possible to toggle a domain admin's privileges to explicitly deny them access to toggle this?  And a bonus question - provided this has an answer, can we set a security group with all the domain admins we want to deny, and keep this deny setting for everyone in the security group?  This way we don't have to go to domain admins one by one.

    FYI I undertsand that domain admins have a specific set of privileges that are hard to override.  That's what makes this question so tricky.


    ----------

    Ron Bass


    • Edited by Ron Bass Wednesday, March 29, 2017 10:09 PM
    Wednesday, March 29, 2017 9:55 PM

All replies

  • Hi Ron,
    It is always suggested to keep few administrators for securing the domain. https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory
    According to your description, I would suggest you remove admin permission from those users, or move them out from domain admin group. I doubt that there is built-in method to deny an admin.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 30, 2017 8:40 AM
    Moderator
  • Okay then I have a couple followup questions.  

    First off, is there an elegant way to clone the domain admins group and then be able to further modify this new group's privileges?  Or should we create a new group and then just run the "Delegate Control" wizard?  

    And namely, is there a way to grant someone access to set/reset password but not toggle the "password never expires" option?

    Our other option is to just audit any time someone toggles the PNE option.  


    ---------- Ron Bass

    Thursday, March 30, 2017 10:33 PM
  • Okay, I managed to research this question a bit further ... turns out we want to create this in any group.  The issue is that the property to edit password is in the read/write UserAccountControl permissions for an OU.  But it contains a basket of rights.  So we can't disable the ability to toggle "Password Never Expires" without disabling the ability to do any other account management tasks like disable/enable an account.

    This was the article we referenced:

    http://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/

    My approach at this point is to see if we can make some kind of custom permission, say UACnoPNE, which would enable all these permissions minus the Password Never Expires option. I'll create a new thread for this.


    ---------- Ron Bass

    Friday, March 31, 2017 11:02 PM
  • Hi Ron,
    Appreciate for the update and feedback, if you have any questions, please feel free to post in the TechNet forum.
    Best Regards,
    Wendy Jiang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, April 04, 2017 5:50 AM
    Moderator