Remove Domain Admins ability from "Delegation Of Control"
- From: "DV" <clubv@xxxxxxxxxxx>
- Date: 20 Dec 2005 22:06:50 -0800
Hi,
I was just wondering whether it is possible to remove the Domain Admins
group the ability to Delegate Control in active directory and allow
only a specific security group this permisson. IE Create a security
group called Delegation Admins and only allow this group the ability to
delegate control.
The scenario is as follows. I need to create a bunch of restricted
security groups and i plan on placing these under a Restricted Security
Group OU. Then i plan on removing the the Read Members, Write Members
permission from domain admins so they cannot add or remove members
within the restricted groups. Then i would create a group called
"Restricted Group Admins" or similar and give it permission to
Read/Write members and then add the Admins that do have permission to
modify the restricted group membership to this "restricted group
admins" group. Thats all fine.
What i would like is the ability to prevent Domain Admins from Re
Delegate Control of these particular attributes to themselves again..
Hope that makes sense.
Thanks for your help in advance.
Dominic
.
- Follow-Ups:
- Re: Remove Domain Admins ability from "Delegation Of Control"
- From: Joe Richards [MVP]
- Re: Remove Domain Admins ability from "Delegation Of Control"
- From: Jorge de Almeida Pinto
- Re: Remove Domain Admins ability from "Delegation Of Control"
- Prev by Date: ActiveDirctory security questions
- Next by Date: Re: Offsite DNS question
- Previous by thread: ActiveDirctory security questions
- Next by thread: Re: Remove Domain Admins ability from "Delegation Of Control"
- Index(es):
Relevant Pages
|
