Deny domain admins group policy permissions

Posted on 2011-04-19
Last Modified: 2012-05-11
Hi guys
Is it possible to grant only enterprise admins the ability to add,delete,modify group policies, while denying domain admins add,delete,modify group policies.
Any help greatly appreciated.
Question by:Simon336697
    LVL 14

    Accepted Solution

    Yes you can do this

    Open up GPMC.msc, navigate to the domain and click on the Delegation tab.  You will need to remove the Administrators group and Domain Admins.  You may have to go to all your root OU's to remove Domain Admins though.  Do make sure you have an account Enterprise Admins so you can administer GPO
    LVL 11

    Assisted Solution

    Vinchenzo-the-Second is partially right.
    You can remove the  "Link GPOs" right for "Domains Admins" group on the domain container. But if you take a closer look, the right applies only to "this container only".
    Therefore, you should do the same trick for each sub-container, it can be a pain to manage.
    More, removing this right will only unallow admins to link Group Policy objects to containers, but they will still be able to modify them.

    Another way would be to change the security on the Schema itself.
    Open schmmgmt.msc (or MMC, then find Active Directory Schema")
    Find the class "groupPolicyContainer", then open properties, go to Default Security tab, remove Domain Admins group.
    Once done, no one from Domain Admins group can create, modify, or delete GPO.
    LVL 11

    Expert Comment

    I would like to add that the tip on the schema will only work for all newly created GPOs.
    But for the old ones, you need to remove rights manually, or with scripts.
    An example could be (with Windows Seven/2008R2):
    Import-Module GroupPolicy
    Get-GPO -All | Set-GPPermissions -PermissionLevel None -TargetName 'Domain Admins' -TargetType 'Group' -Replace

    Open in new window

    Else, it exists GPMC scripts to do the same thing (SetGPOPermissions.wsf), you can download them here:
    LVL 9

    Assisted Solution

    Personally, I believe that changing the default permissions for builtin accounts creates more problems than it solves, and is not a best practice. A more sustainable model would be to create a seperate group for the administrators, delegate the correct permissions required, and remove them from the Domain Admins group altogether.
    Remember that removing Domain Administrators from specific areas can be cosmetic - a domain administrator has the right to modify all AD groups, including the Enterprise Admins and Schema Admins groups, unless again, you specifically remove those rights.
    LVL 1

    Author Comment

    Hi guys. I can't thank you all enough for your brilliant answers, especially tasmants answers.
    Long term I agree with Chev - in terms of removing them from domain admins altogether, but for now, I need to only allow enterprise admins that level of right.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    One of the major disadvantages of still running XP in production is its lack of Internet Explorer Favourites directory redirection. If your users frequently roam between computers, the usual workaround is to enable Roaming Profiles to have the favou…
    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now