Best way to restrict Add Users ability

[Guest]

We want to restrict the addition and removal of users to just 3 people in
our 2003 AD.

These 3 people may or may not be members of the domain administration group
(there will be 1 or 2 Domain Admins that will be denied the add user right
as well).

What is the best, cleanest way to accomplish this?

 

[Oli Restorick [MVP]]

The concept of a restricted domain admin is a false one. If somebody is a
domain admin, you cannot restrict anything they do.

Sounds like you have some other problems to deal with. There should be no
need for your people to use domain admin credentials for day-to-day tasks.
Use the delegation of control wizard to give people the access they need to
do their job.

Oli

 

[Blah McBobber]

Well, you could try a punish and/or reward system. If they try to create a
user and you don't like it, you could then make them listen to Celion Dion's
new record.

Or whatever.