Prevent Domain Admin group from adding Group Policy

[Tim Smith]

I need to prevent the Domain Admin group from adding or
Modifying group policys on my domain. I also need to
prevent the domain admin group from adding them selves to
the Enterprise admin group. Is this possible? If so How?


Thanks

Tim

 

[Simon Geary]

You cannot do either of these things. Domain admins have complete control
over the domain by default and you cannot (and should not) fiddle around
with the permissions. A better policy would be to remove untrusted users
from the domain admins group and give them only the access they require.

Without an empty forest root domain a domain admin in that domain can add
themselves to the enterprise or schema admins group and there is nothing you
can do to stop them short of removing them from the domain admins group.
This is why dedicated forest roots are usually recommended.