Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 217
  • Last Modified:

Isolate the ADUC from the admins

Hello ,
We have recently installed net IQ and i have created a group and added all the admins on this group.
But i want to prvent them from accessing start-programs-admin tools-activedirectory users and computers.
How can i do that?

Also , i want to create a global group and add all the admins there and give them local admin rights on the servers , but not on the domain controllers- in order to install patches etc) - I need advice on this too.

Thanks,
Hockland
0
c_hockland
Asked:
c_hockland
  • 2
1 Solution
 
Jay_Jay70Commented:
Hi c_hockland,

you need to move these users to a new OU and apply this

User config\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Active Directory Users and Computers

either that or use security filtering in the current OU but i would put that setting as a separate policy
0
 
Jay_Jay70Commented:
c_hockland,

restricted groups will cater for your admin fun

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now