Restrict Domain Admin Group delegation

Khaliq ur Rehman
Khaliq ur Rehman used Ask the Experts™
on
Hi Guys,

I want to be able to restrict who can add or delete members of the domain Admins group.

So, for example, is there a way to stop current members of the domain admins group from adding or deleting members of the domain admins group?

What is the best way to do this?

Thanks everyone.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Deligation control

remove users from domain admin and assign in the delication control...

ps see the following detailed link

https://www.itprotoday.com/management-mobility/view-or-remove-active-directory-delegated-permissions

all the best
Technical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
So, for example, is there a way to stop current members of the domain admins group from adding or deleting members of the domain admins group?
Cannot be done effectively. You should only have a handful of people that are directly responsible for AD (not helpdesk etc.) as domain admins

Why? Because DA's can undo any security restrictions and even get passwords from other accounts
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html

You should create new delegation groups and role groups and do the permission delegation against that. You can find that process and some delegation templates here
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial