Limit who can add domain admins?

[Nelson]

Is there anyway to limit domain administrators from adding other domain
administrators?
For example I have 10 Domain Admins Admin1-10.
I only want Admin1 to be able to add other domain admins.

How/is this possible?
Thanks!

 

[Joe Richards [MVP]]

Nope, that is why the number of domain admins (actually native admins in
general) should be a tiny group, say like 3-5. I ran a Fortune 5
environment with 250,000 users and ~375 Domain Controllers across the
world with 3 DA Engineers and 1 DA Manager.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Paul Bergson]

Yep, previous employer had 50,000+ users and had 3 DA's.

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Brian Desmond [MVP]]

As far as limiting it, no, you can't. What you do is have a written policy
on this, and then you audit it. When the rule gets broken, you a) take the
offender and new member out and b) discipline the offender. This falls in
the security breach category. If you can't be trusted to have the rights you
don't belong in my shop is my attitude.



--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com