a blog on technology in the real world

In a continuing process of cleaning up horrible decisions by our predecessors, we just moved a website off one of our domain controllers. The website was moving from IIS6 to 7 (or 7.5, whatever comes with Server 2008 R2), and it required some tweaking to start working again. One of the parts that didn’t work was a self-help page where teachers could unlock student accounts. I set up this web server, and created a service account for it that doesn’t have any special rights on the domain. Because the website runs in IIS as this service account, it could query the domain with no problems, but it didn’t have the rights to unlock accounts.

This is obviously where I differ from a coworker…

him: “Just add the service account to Domain Admins”

me: “Why would I want to do that?”

In the end I remembered I can delegate just the permissions needed to unlock our student accounts to that service account and it works fine.

Why use a hammer when you only need a tiny screwdriver?