I'm the admin for a mid-size publishing company, and there are four other members of our support team. Until now I've always assigned them to the Domain Admins group, trusting that they would be respectful of our various roles. I now have reason to want to change this arrangement, so today I began playing around with assigning test accounts to a test Global Security group, then assigning that group to Account Operators and Print Operators, which should allow them to perform their jobs without allowing them to intrude on tasks that are more appropriately under my jurisdiction. To make a long story short(er), everything worked fine except for one thing, which I can't help but feel is some sort of security loophole. Although a user in the new group could not directly edit the membership lists for Domain Admins or Administrators, and could not remove that group membership from a user account, it *could* actually delete the account! In other words, while they couldn't remove my account from Domain Admins or Administrators, they could delete my account. Frankly, this doesn't seem right to me. Does anyone have any suggestions as to how I can prevent these less-privileged accounts from being able to delete an account belonging to higher-privileged groups? Thanks. Richard ***** It has just occurred to me that, although the heading of the forum on the main page is simply "Admin", the forum is actually for Exchange Server. Is there an admin or mod that can relocate this to the proper forum? Many thanks. Richard*****

Richard, In most of our clients' environments I suggest the following: Create security groups for your lower level admins Delegate the rights you want to these groups at the domain or OU levels, as appropriate Create an OU called Administration Create sub-OUs for Domain Admins, Service Accounts, Built-In accounts, and other highly priviledged accounts Remove security inheritance for the Administration OU and assign appropriate rights explicitly Allow lower level admins to unlock accounts in these OUs, but not reset passwords

Thanks, Jeff, I'll give that a shot. Richard

Account Operators get Full Control over all user objects - set as 'This object only' from the user class in the Schema. You can only break that byremoving that ACL from your Domain Admin accounts.