We help IT Professionals succeed at work.

Deny domain admins group policy permissions

Simon336697
Simon336697 asked
on
Medium Priority
1,287 Views
Last Modified: 2012-05-11
Hi guys
Is it possible to grant only enterprise admins the ability to add,delete,modify group policies, while denying domain admins add,delete,modify group policies.
Any help greatly appreciated.
Comment
Watch Question

Top Expert 2011
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
I would like to add that the tip on the schema will only work for all newly created GPOs.
But for the old ones, you need to remove rights manually, or with scripts.
An example could be (with Windows Seven/2008R2):
Import-Module GroupPolicy
Get-GPO -All | Set-GPPermissions -PermissionLevel None -TargetName 'Domain Admins' -TargetType 'Group' -Replace

Open in new window

Else, it exists GPMC scripts to do the same thing (SetGPOPermissions.wsf), you can download them here: http://www.microsoft.com/downloads/en/details.aspx?familyid=38c1a89b-a6d2-4f2a-a944-9236999aee65&displaylang=en
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Hi guys. I can't thank you all enough for your brilliant answers, especially tasmants answers.
Long term I agree with Chev - in terms of removing them from domain admins altogether, but for now, I need to only allow enterprise admins that level of right.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.