Restrict who can add users to the group Domain Admins

Simon336697 used Ask the Experts™
Hi Guys,

In the domain admins group, we have the following situation:

<Individual user accounts>
<Group accounts>

So, for example,

----------------------------------------------------- domain admins group
Server Admins group

What I want to be able to do is to restrict who can add or delete members of the domain Admins group.

So, for example, is there a way to stop current members of the domain admins group from adding or deleting members of the domain admins group?

What is the best way to do this?

Thanks everyone.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
No, domain admins have the ability to modify any group membership in the domain.
If you do not trust somebody then delegate permissions accordingly for a domain user.


So, you delegate this permission to add or remove a user and or group from the domain admins group to a user?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Senior Active Directory Engineer
Top Expert 2012

unfortunately you cannot restrict Domain Admins group to not remove members of that group. Domain Admins is the most powerful group in AD and cannot be restricted. The only one way is to think if those users are really requiring these rights. Maybe some simple AD rights delegation might help ?

If you're interested in this topic, please visit my blog and read articles about that

To add more,

  This is by design. By default Domain administrator account is a powerful account and has an ability to maintain entire domain in a forest. Hence the members can easily modify any group in a  domain. Only thing they are restricted is with enterprise administrator group. A domain administrator can not modify the enterprise group as it will be present in Root domain , Only members of enterprise administrator can modify that group.

 If you dont trust a user who is  a member of domain administrator , then remove the user account from the domain administrator and perform delegation and proivde him the restricted rights.

Refer the below link to understand delegation




Thanks for that guys

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial