Restricting administrators

[pdk]

Is it possible to restrict members of the administrators
group so that they cannot add them selves to a higher
ranking group e.g. Domain Admininistrators

If not does anyone know of other tools ??

 

[Steven L Umbach]

Local administrators on domain computers have no special powers in the domain. If you
mean the administrators group as shown in AD Users and Computers, you can not
realistically restrict members in that group and they already have most domain
administrative rights. The domain admins global group by default is in the local
administrators group on all domain member computers and anyone in the domain
administrators group can add themselves to the domain admins or any other group in
the domain. Keep in mind that much administration can be accomplished by adding users
to the local administrators group on domain computers if they need to administer
them, or Active Directory delegation can be used to give a regular domain user much
power over an OU to ad users/group/computers/mange GPO and such. A normal user with
delegated rights however can never restrict, mange, or modify any domain
administrator. --- Steve

 

[Danny Sanders]

No.

If you need to prevent an administrator from a child/parent domain from
adding themselves as enterprise admin, you need to put the two domains in
separate forests. The AD forest is now the security boundary that was
formerly the NT 4.0 domain.


hth
DDS W 2k MVP MCSE