• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1214
  • Last Modified:

Deny domain admins group policy permissions

Hi guys
Is it possible to grant only enterprise admins the ability to add,delete,modify group policies, while denying domain admins add,delete,modify group policies.
Any help greatly appreciated.
3 Solutions
Yes you can do this

Open up GPMC.msc, navigate to the domain and click on the Delegation tab.  You will need to remove the Administrators group and Domain Admins.  You may have to go to all your root OU's to remove Domain Admins though.  Do make sure you have an account Enterprise Admins so you can administer GPO
Vinchenzo-the-Second is partially right.
You can remove the  "Link GPOs" right for "Domains Admins" group on the domain container. But if you take a closer look, the right applies only to "this container only".
Therefore, you should do the same trick for each sub-container, it can be a pain to manage.
More, removing this right will only unallow admins to link Group Policy objects to containers, but they will still be able to modify them.

Another way would be to change the security on the Schema itself.
Open schmmgmt.msc (or MMC, then find Active Directory Schema")
Find the class "groupPolicyContainer", then open properties, go to Default Security tab, remove Domain Admins group.
Once done, no one from Domain Admins group can create, modify, or delete GPO.
I would like to add that the tip on the schema will only work for all newly created GPOs.
But for the old ones, you need to remove rights manually, or with scripts.
An example could be (with Windows Seven/2008R2):
Import-Module GroupPolicy
Get-GPO -All | Set-GPPermissions -PermissionLevel None -TargetName 'Domain Admins' -TargetType 'Group' -Replace

Open in new window

Else, it exists GPMC scripts to do the same thing (SetGPOPermissions.wsf), you can download them here: http://www.microsoft.com/downloads/en/details.aspx?familyid=38c1a89b-a6d2-4f2a-a944-9236999aee65&displaylang=en
Personally, I believe that changing the default permissions for builtin accounts creates more problems than it solves, and is not a best practice. A more sustainable model would be to create a seperate group for the administrators, delegate the correct permissions required, and remove them from the Domain Admins group altogether.
Remember that removing Domain Administrators from specific areas can be cosmetic - a domain administrator has the right to modify all AD groups, including the Enterprise Admins and Schema Admins groups, unless again, you specifically remove those rights.
Simon336697Author Commented:
Hi guys. I can't thank you all enough for your brilliant answers, especially tasmants answers.
Long term I agree with Chev - in terms of removing them from domain admins altogether, but for now, I need to only allow enterprise admins that level of right.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now