ADS snap-in

[HH]

How do I restrict the ads snap-in so only administartor
has rights to this?

 

[Matjaz Ladava [MVP]]

In windows server the system security controls what can be done or what can
not be done. If you don't want someone to administer AD or special part of
it you restrict this trough security settings not by disallowing them to run
tools.
Can you be more detailed of what you are trying to do so wee can provide
more help ?

--
Regards

Matjaz Ladava
MVP Windows Server - Directory Services
(e-mail address removed), (e-mail address removed)

 

[Tomasz Onyszko]

How do I restrict the ads snap-in so only administartor
has rights to this?

First solution - deploy proper NTFS permission on tshi sanp-ins so only
administrators can run this

Second solution - deploy GPO with proper settings in User configuration
-> Administrative templates -> Windows components -> MMC ->
Restricted/Permitted snap-ins , take Administrators outside of scope of
this GPO (move them to the separated OU or set proper ACLs on this GPO
object)

Third solution - create GPO with software restriction hash rule which
allows only the administrators to run this snap-ins

 

[Guest]

Right now there three administrators in the admin group. I
want so two of the three allow to change the dns the third
have adminrights except for the ADS.

Please help

 

[Tomasz Onyszko]

Right now there three administrators in the admin group. I
want so two of the three allow to change the dns the third

To change DNS entris give them proper ACLs on the zone or place them in
the DNsAdmins group.

have adminrights except for the ADS.

Define this rights - becouse if You want to give him right to do all
administrative tasks on the server maybe place him in the Server operators