Domain security privileges and Group Policy

[j_pickett]

Hello,

I have a question which I hope somebody may have an answer to.

I would like to know whether there are any implications of making an
ordinary user a member of Domain Admins on a Windows 2003 domain while
at the same time placing said user into a restricted GPO.
What I would like to find out is whether by having the limitations of
the GP imposed on this user whether that would prevent said user from
being able to take advantage of the fact they're a member of Domain
Admins?

Any feedback on this would be greatly appreciated.

Thanks,
JP.

 

[myweb]

Hello (e-mail address removed),

If he is a domain admin he can still change all policies you configure. So
makes no sense. Why should he have the right?

If he should not have domain admin rights DONT make him domain admin!!!

Best regards

myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Roger Abell [MVP]]

You can make it more difficult for an admin or a DA to
do what they want, have their way with your deployment,
but you cannot stop them if they are determined.
Also, to get to that point of making it difficult, you need
to be pretty good at the settings, certainly better than they.
If they are not usefully restrained then your deployment
is open to the impact of their point and click experiments.

Roger