restricting administrators

[pdk]

Is it possible to restrict members of the administrators
so that they can add them selves to a higher ranking group
e.g. Domain Admininistrators

If not does anyone know of other tools ??

 

[Mark-Allen]

Not sure about your question.

Local administrators cannot normally make themselves Domain Administrators. Only a Domain admin or an Enterprise admin can add their name to the domain group.

But Domain Admins are local admins by default on all domain registered machines.

Does this help?

--
Mark-Allen Perry
ALPHA Systems, Switzerland
mark-allen AT mvps DOT org

Is it possible to restrict members of the administrators
so that they can add them selves to a higher ranking group
e.g. Domain Admininistrators

If not does anyone know of other tools ??

 

[pdk]

Let me make it more specific

Members of the administrators group found in ADUC
administrators group can add themselves to higher level
groups. It is this ability that I want to restrict. But is
it possible ??

-----Original Message-----
Not sure about your question.

Local administrators cannot normally make themselves

Domain Administrators. Only a Domain admin or an
Enterprise admin can add their name to the domain group.

But Domain Admins are local admins by default on all domain registered machines.

Does this help?

--
Mark-Allen Perry
ALPHA Systems, Switzerland
mark-allen AT mvps DOT org

"pdk" <[email protected]> wrote in

message news:[email protected]...

 

[Steven L Umbach]

Any user in the administrators group for the domain as shown in AD Users and
Computers administrators is all powerful in the domain [possibly for the forest if in
the root domain] and can not be restricted in a way that the administrator can not
undo. --- Steve

 

[Joe Richards [MVP]]

No. Don't make them an administrator unless you trust them implicitly.