Restrict who can add users to the group Domain Admins

Simon336697
Simon336697 used Ask the Experts™
on
Hi Guys,

In the domain admins group, we have the following situation:

-----------------------------------------------------
<Individual user accounts>
<Group accounts>

So, for example,

----------------------------------------------------- domain admins group
Bob
Sue
Steve
Server Admins group


What I want to be able to do is to restrict who can add or delete members of the domain Admins group.

So, for example, is there a way to stop current members of the domain admins group from adding or deleting members of the domain admins group?

What is the best way to do this?

Thanks everyone.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
No, domain admins have the ability to modify any group membership in the domain.
If you do not trust somebody then delegate permissions accordingly for a domain user.

Author

Commented:
So, you delegate this permission to add or remove a user and or group from the domain admins group to a user?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Senior Active Directory Engineer
Top Expert 2012
Commented:
Hi,

unfortunately you cannot restrict Domain Admins group to not remove members of that group. Domain Admins is the most powerful group in AD and cannot be restricted. The only one way is to think if those users are really requiring these rights. Maybe some simple AD rights delegation might help ?

If you're interested in this topic, please visit my blog and read articles about that
http://kpytko.wordpress.com/2012/05/16/active-directory-rights-delegation-overview/
http://kpytko.wordpress.com/2012/05/17/active-directory-rights-delegation-part-1/

Regards,
Krzysztof
To add more,

  This is by design. By default Domain administrator account is a powerful account and has an ability to maintain entire domain in a forest. Hence the members can easily modify any group in a  domain. Only thing they are restricted is with enterprise administrator group. A domain administrator can not modify the enterprise group as it will be present in Root domain , Only members of enterprise administrator can modify that group.

 If you dont trust a user who is  a member of domain administrator , then remove the user account from the domain administrator and perform delegation and proivde him the restricted rights.

Refer the below link to understand delegation

http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html

Regards,

_Prashant_

Author

Commented:
Thanks for that guys

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial