Re: Container Administration where you can block out Enterprise Admins

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Chriss3 (noSpamHere_at_chrisse.se)
Date: 03/08/04

• Next message: Stuart Brown: "Local Logon To Domain Controller"
• Previous message: Marlon Brown: "Accounts not in use - 180 days attribute ?"
• In reply to: Samuel Berry: "Container Administration where you can block out Enterprise Admins"
• Next in thread: Herb Martin: "Re: Container Administration where you can block out Enterprise Admins"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 8 Mar 2004 17:37:36 +0100

Hi Samuel , Enterprise Admins are a very power full group, Members of this
group should be highly trusted within your organization. What I want to say
by this is don't think the way of restrict members of the Enterprise Admins
Group. If they are trusted to be in this group they actually suppose to be
enterprise admins, If you should be delegated for a specify OU or a specify
domain, then delegated them the required ability for them do to there work.
In your case use the Delegate Of Control Wizard to delegate rights to threes
users/administrators.

Step-by-Step Guide to Using the Delegation of Control Wizard:
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/delegsteps.asp

-- 
Regards
Christoffer Andersson
No email replies please - reply in the newsgroup
"Samuel Berry" <sberry@spinn.net> skrev i meddelandet
news:4C8C760E-CB93-4285-A8AC-E9870A0AE7E9@microsoft.com...
> I hope I am phrasing this right. In NDS (Netware) , you can have Container
Admin's where they can "block" the Organizational Admin from
browsing/changing Leaf Objects and Organizational Units.
> Is the same thing possible in Active Directory?
> If so, can somebody point me to an article on how to do this.
>
> TIA,
>
> Sam Berry

---

• Next message: Stuart Brown: "Local Logon To Domain Controller"
• Previous message: Marlon Brown: "Accounts not in use - 180 days attribute ?"
• In reply to: Samuel Berry: "Container Administration where you can block out Enterprise Admins"
• Next in thread: Herb Martin: "Re: Container Administration where you can block out Enterprise Admins"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: How to restrict changes to Domain Admin & Administrator Groups ... Groups so existing members cannot add other users to these groups? ... I only want our Enterprise Admins group to have change rights to ... Blocked inheritance with exception of Enterprise Admins ... privs do not get extra privs. ... (microsoft.public.security) Re: problem with "Restricted Groups" within a GPO linked to my dom ... You are saying that the users no longer appear as members of the RG but the ... logon again if you are using the test user account so that their security ... > groups: Administrators, Backup Operators ... > Domain Admins, Enterprise Admins ... (microsoft.public.security) Re: Blocking "Enterprise Admins" permissions ... You can not* restrict Enterprise Admins Group and should not do so, ... How ever if you not trust the members of the enterprise ... should only select member that you trust to be Enterprise Admins. ... (microsoft.public.win2000.active_directory) Re: Separating domain admins and enterprise admins ... it is IMPOSSIBLE to prevent members of administrators, domain admins and enterprise admins doing things you do not want them to do! ... * This posting is provided "AS IS" with no warranties and confers no rights! ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Win2000  > microsoft.public.win2000.active_directory  > 2004-03