We help IT Professionals succeed at work.

Are there any way to prevent installing a new CA in my Active Directory Domain?

I have a Windows Server 2008 R2 domain. Due to security requirements, we need to prevent any Domain Admin or Enterprise Admin to install new PKI platform in the domain.

As you know, an administrator with this privileges by default can create new PKI's architecture. We need to block this behavior.

Can you help me to meet this requirement without remove the administrative accounts from these groups?
Watch Question

Network Engineer
You can't stop a domain or enterprise admin from doing ANYTHING. Any security restriction you put in place can be reverted by such a user.

You can audit actions and changes to try to detect such a change, but you can't prevent it.