I have a new requirement that our security team has. We need to have the Domain Admin account that ADDM uses to discover Windows devices change the password on a daily basis. We have both a credential proxy and an AD proxy (might be simpler to just have a credential proxy). I'm trying to find out if anyone has any sort of script that can reach into AD's PDC and change the password with a random string that ADDM creates and then update itself with that same password. If so, let me know how you did it and what, if anything, was needed on the AD side to make this work.
Also, I have another requirement to possible de-escalate the account from a Domain Admin to something lower. I was told that the Operators built-in group on the domain controllers and in AD might work. I want to know if anyone has tested this. Basically they want to deny access to our service account from getting into AD Users and Computers or basically make it where it cannot change object in AD (except for the service account's own password). Thoughts?