Limit the Powers of Domain Admin(s)

[Guest]

Hi all
I have a global group "mygg" which is a member of Built-in "Domain Admin" group
I need to diable the powers of creating/deleting/modifying user objects & OU for the members of "mygg" group. Also, member of this group should not be able to change/modify Ownership of the objects

The members of "mygg" should be able to only view the properties of user objects & OUs

Thanks in Advance

 

[Marc Scheuner]

I have a global group "mygg" which is a member of Built-in "Domain Admin" group.

I need to diable the powers of creating/deleting/modifying user objects & OU for the members of "mygg" group.
Also, member of this group should not be able to change/modify Ownership of the objects.

Then remove that group from the "Domain Admins" ! You can't limit the
permissions that Domain Admins have - you can only remove someone from
being a domain admin by NOT putting them in the Domain Admins group in
the first place.

Marc
================================================================
Marc Scheuner May The Source Be With You!
Bern, Switzerland m.scheuner(at)inova.ch

 

[Herb Martin]

Marc gave you the right advice.

The problem is that you are going about it backwards.

Don't put that group in Domain Admins, instead give
that group JUST the priveleges you need it to have.

General principle: Avoid "negative permissions" and
"negative settings" like "block inheritance" whenever
practical.

Use only the NECESSARY positive permissions.

Reserver negative permissions for truly exceptional
cases (or design mistakes) when you have no other
choice.

--
Herb Martin

Hi all,
I have a global group "mygg" which is a member of Built-in "Domain Admin" group.
I need to diable the powers of creating/deleting/modifying user objects &

OU for the members of "mygg" group. Also, member of this group should not be
able to change/modify Ownership of the objects.

 

[Guest]

Actually i need to create a group which has only the following Allow/Deny options

Allow
.. Promote and Demote domain controller
· DNS/WINS/DHCP Configuration/Administration/Troubleshootin
· AD Administratio
· OU creation/deletio
· AD Site creation/deletion/configuratio
· Establish/Troubleshoot trust relationshi
. Troubleshoot AD replication problem

Deny
Access to Schema Administrator Right
Access to Domain Admin Right
Access to Security Administrators Right
Access to Enterprise Administrator Right
rights to delete event log
Local Administrative rights on domain controller

kindly help me out to achieve this

Thanks in advance..

 

[Herb Martin]

Actually i need to create a group which has only the following Allow/Deny options.

Allow:
. Promote and Demote domain controllers
· DNS/WINS/DHCP Configuration/Administration/Troubleshooting
· AD Administration
· OU creation/deletion
· AD Site creation/deletion/configuration
· Establish/Troubleshoot trust relationship
. Troubleshoot AD replication problems

This is probably too much to avoid making them an
Admin -- those things are NOT done that often so there
is little point in having an "extra group" to do these.

Deny:
Access to Schema Administrator Rights

No ONE has this, but the Enterprise Admins can add to
this group.

Access to Domain Admin Rights

You pretty much covered this (it's a contradiction) with
the stuff above, so what specifically do you NOT want
them to do.

Access to Security Administrators Rights

What specifically?

Access to Enterprise Administrator Rights
rights to delete event logs

This is not automatically included.

Local Administrative rights on domain controllers

Not possible with the contradiction you setup above
(especially DCPromo)

kindly help me out to achieve this.

It's illogical and a bad design. (At least some of) it is impossible.

It's also sounds unnecessary (for most of the items in the
"allow" list.)