Prevent Domain Admin group from adding Group Policy

T

Tim Smith

I need to prevent the Domain Admin group from adding or
Modifying group policys on my domain. I also need to
prevent the domain admin group from adding them selves to
the Enterprise admin group. Is this possible? If so How?


Thanks

Tim
 
S

Simon Geary

You cannot do either of these things. Domain admins have complete control
over the domain by default and you cannot (and should not) fiddle around
with the permissions. A better policy would be to remove untrusted users
from the domain admins group and give them only the access they require.

Without an empty forest root domain a domain admin in that domain can add
themselves to the enterprise or schema admins group and there is nothing you
can do to stop them short of removing them from the domain admins group.
This is why dedicated forest roots are usually recommended.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Remove the Root Domain in the Forest 5
add specific accouny when joining a domain 1
Subdomain Group Administratration 2
group membership assigned through group policy? 6
Multiple Access Denied 11
AD design question....again 4
Can i use the Group Domainadmins for two Domains? 1

Top