Remove Domain Admins ability from "Delegation Of Control"




I was just wondering whether it is possible to remove the Domain Admins
group the ability to Delegate Control in active directory and allow
only a specific security group this permisson. IE Create a security
group called Delegation Admins and only allow this group the ability to
delegate control.

The scenario is as follows. I need to create a bunch of restricted
security groups and i plan on placing these under a Restricted Security
Group OU. Then i plan on removing the the Read Members, Write Members
permission from domain admins so they cannot add or remove members
within the restricted groups. Then i would create a group called
"Restricted Group Admins" or similar and give it permission to
Read/Write members and then add the Admins that do have permission to
modify the restricted group membership to this "restricted group
admins" group. Thats all fine.

What i would like is the ability to prevent Domain Admins from Re
Delegate Control of these particular attributes to themselves again..

Hope that makes sense.

Thanks for your help in advance.


Jorge de Almeida Pinto

IMHO, it will not work....

Why? Domain Admins and administrators are very powerfull groups. Either you
trust every member or you don't. There is nothing in between. Both groups
have a lot permissions all over the place.
There is no point of having a group that would only be able to delegate all
kinds of permissions. If that group would be able to delegate to others, it
is able to delegate to itself.
When delegation comes in to play, the higher authority delegates activities
to lower authorities


Hey Jorge,

The reason is purely political. We are setting up a trust between a
partner and i do not want the domain admins adding themselves to the
restricted group which in turn will be a member of a local security
group on the trusting domain. I agree, i would of thought that it
couldnt be done, as you would only place trusted parties in Domain
Admins, but quouting from microsoft:

"This document provides three delegation examples using the Delegation
of Control wizard in the Active Directory Users and Computers Microsoft
Management Console (MMC) snap-in. They include:

Delegate complete control of an OU.
Delegate creation and deletion of users within an OU.
Delegate resetting of passwords for all users in an OU.
Part 1: Installing Windows Server 2003 as a Domain Controller
Step-by-Step Guide to Managing Active Directory
Guide Requirements
To perform these procedures, you must be a member of the Domain Admins
group or the Enterprise Admins group in Active Directory, or you must
have been delegated the appropriate authority. In addition to
implementing the common infrastructure, the following steps must be
To me this reads as, along with Domain Admins and Enterprise Admins any
one who is delegated the appropriate permission can use the Delegation
of Control.

thanks again

Paul Bergson

This delegation should only work if you have the security credentials to
grant. If you don't have permission on an OU then you can't provide
elevated permissions. Jorge is right on, don't mess with this. You will be
miserable trying to do this if you can even get it to work.

Another thing that would come along as you start to play with permissions
would be the ADMINSDHOLDER. This will reset permissions on certain groups.

Check this out



This posting is provided "AS IS" with no warranties, and confers no rights.

Joe Richards [MVP]

You can't prevent domain admins from doing anything on a DC or in AD. You can
certainly try but anything you do can be bypassed.



Joe, i think your right.

ive tried a few things. If you remove the domain admins ability to read
an OU, they cannot delegate control on the OU, but they can go into the
security tab of the OU and re-add themselves in with full control.

Thanks you all for the replies anyway.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question