Re: Remove Domain Admins ability from "Delegation Of Control"

IMHO, it will not work....

Why? Domain Admins and administrators are very powerfull groups. Either you
trust every member or you don't. There is nothing in between. Both groups
have a lot permissions all over the place.
There is no point of having a group that would only be able to delegate all
kinds of permissions. If that group would be able to delegate to others, it
is able to delegate to itself.
When delegation comes in to play, the higher authority delegates activities
to lower authorities

--
Cheers,
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"DV" <clubv@xxxxxxxxxxx> wrote in message
news:1135145210.053096.324230@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> I was just wondering whether it is possible to remove the Domain Admins
> group the ability to Delegate Control in active directory and allow
> only a specific security group this permisson. IE Create a security
> group called Delegation Admins and only allow this group the ability to
> delegate control.
>
> The scenario is as follows. I need to create a bunch of restricted
> security groups and i plan on placing these under a Restricted Security
> Group OU. Then i plan on removing the the Read Members, Write Members
> permission from domain admins so they cannot add or remove members
> within the restricted groups. Then i would create a group called
> "Restricted Group Admins" or similar and give it permission to
> Read/Write members and then add the Admins that do have permission to
> modify the restricted group membership to this "restricted group
> admins" group. Thats all fine.
>
> What i would like is the ability to prevent Domain Admins from Re
> Delegate Control of these particular attributes to themselves again..
>
> Hope that makes sense.
>
> Thanks for your help in advance.
>
> Dominic
>


.

Relevant Pages

  • Re: Remove Domain Admins ability from "Delegation Of Control"
    ... I was just wondering whether it is possible to remove the Domain Admins ... Then i plan on removing the the Read Members, ... "Restricted Group Admins" or similar and give it permission to ...
    (microsoft.public.win2000.active_directory)
  • Re: Domain Admin Access across Trusted domains
    ... > users to a Domain Local security group, I can't add that Domain Local ... Much, not all, can be conferred my making members of the ... same as making them members of Domain Admins. ... >>> The trust is a two way external trust. ...
    (microsoft.public.win2000.security)
  • Re: SQL Domain Group Permissions
    ... Most settings can be retrieved by any authenticated user. ... the group "Domain Admins" is added to the local ... Administrators group with the computer is joined to the domain. ... members of Domain Admins to retrieve more information on the computers. ...
    (microsoft.public.sqlserver.security)
  • Re: Computer Management Security Question
    ... And the GPO with this restricted group definition ... > No, they are not domain administrators, they only administrators on their ... own machines. ... >> Sounds like you made your users domain admins instead of admin of their ...
    (microsoft.public.windows.server.security)
  • Re: Finding users of a specific group and listing memberships of t
    ... report generated by the system that lists members of the Domain Admin group. ... Dim strGroupDN, objGroup, objMember, objMemberGroup, objFileSystem, ... >> Hi...I am trying to write a script that will list users of a specific ... >> Domain Admins group, I want it to list all those users group memberships. ...
    (microsoft.public.windows.server.scripting)