Hey everyone,
I'm dealing with an issue involving our Domain Admin (DA) accounts. We manage two different accounts for our Domain Admin users: a standard account and a DA account. The DA accounts don't have any mailboxes in Office 365 since they're not used for that purpose. However, we're running a script that sends an email notification when passwords are about to expire, and I'm trying to figure out how to make it work for the DA accounts.
The standard accounts pull the email address from the E-mail field, which isn't the same as the actual logon email displayed on the Accounts tab. For the DA accounts, that E-mail field is completely empty.
I'm thinking of adding the regular email address to the E-mail field of the DA account, but I'm worried it might cause issues. Has anyone tried this before? Will it mess anything up?
Thanks!
3 Answers
You can add an email to a different attribute for admin accounts and use that in your script. But I'm curious why these accounts need frequent password changes in the first place?
It's generally recommended that your DA accounts don’t sync to Office 365. If you exclude them from the sync, you shouldn’t have any issues with duplicate email addresses. If they have to be synced, consider giving them a different email and making that a shared mailbox, then set up forwarding to the regular account.
Have you thought about setting up the DA accounts with an attribute such as "Owner"? This way, when the DA account password is about to expire, the notification email can go to the designated owner.
We considered using another field for this, but it’s hard to ensure that the info gets updated every time a new user is added. So instead, we’ll just generate the email dynamically as part of the script. As for the password changes, you’d have to ask our Security team. They believe it enhances security, although some of us think otherwise!