Deny domain admins group policy permissions
Hi guys
Is it possible to grant only enterprise admins the ability to add,delete,modify group policies, while denying domain admins add,delete,modify group policies.
Any help greatly appreciated.
Is it possible to grant only enterprise admins the ability to add,delete,modify group policies, while denying domain admins add,delete,modify group policies.
Any help greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi guys. I can't thank you all enough for your brilliant answers, especially tasmants answers.
Long term I agree with Chev - in terms of removing them from domain admins altogether, but for now, I need to only allow enterprise admins that level of right.
Long term I agree with Chev - in terms of removing them from domain admins altogether, but for now, I need to only allow enterprise admins that level of right.
But for the old ones, you need to remove rights manually, or with scripts.
An example could be (with Windows Seven/2008R2):
Open in new window
Else, it exists GPMC scripts to do the same thing (SetGPOPermissions.wsf), you can download them here: http://www.microsoft.com/downloads/en/details.aspx?familyid=38c1a89b-a6d2-4f2a-a944-9236999aee65&displaylang=en