Domain Admin AD access

Hi Guys,

We need to lock down AD from a few domain admins as they need very high access but keep changing things they shouldn't.

Would the best option be to not allow write access on AD for the domain admins group and then add everyone that should have that power to the enterprise admins group?

Mid-Western Regional CouncilICT DepartmentAsked:
Who is Participating?
Cliff GaliherConnect With a Mentor Commented:
Wrong direction. Take away domain admin access from those who shouldn't have it. *By definition*, domain admins should be able to write to the domain.

Create a new group or groups for those you are about to take domain admin access from, and grant only the minimum necessary permissions' to that group to do what they need. You can still grant pretty high access. Delegated access has been in AD from the start, for example.
Mid-Western Regional CouncilICT DepartmentAuthor Commented:
Yeah i just discussed that. Probably easier make a power user group sort of thing.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.