Keep inheritance enabled for Delegation [closed]

I want to give a normal "Domain Users", permission to reset the password of users in the Domain Admins Group.

So I created an OU and moved all the user account targets into it.

Then I used "Delegate Control" to give the password reset rights to the normal domain user.

After doing an 'Enable Inheritance' on all the User Accounts it worked.

But shortly after that, the inheritance on the Domain Admins Users became disabled. And it stopped working.

I believe it's AdminSDHolder and Protected Groups is doing it.

I cannot remove users from Domain Admins Group, is there another approach to solving this?

thanks,

Solution 1:

I don't even want to know why you want to do this. It's such a terrible idea, it doesn't even matter.

You're correct that AdminSDHolder is resetting the permissions on the protected DA accounts. This Technet article explains more in depth.

https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx

It also explains that you can use the dsHeuristics attribute on the forest's Directory Service object to set a bit flag that determines which groups are protected. But (thankfully), Domain Admins isn't one of the groups you can exclude.

*Edit

I forgot that it's also possible to modify the permissions on the actual AdminSDHolder object. The permissions on that object are what get stamped onto the protected users. So if you added your Domain Users permissions on it, they would get stamped onto the DAs.

But really, why bother? At the point any users in the domain can reset the password of any DA user, why not just make all users DA? Hell, why bother with users at all? Just make the actual domain administrator password "12345" and call it a day.