Re: Remove Domain Admins ability from "Delegation Of Control"

---

• From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
• Date: Wed, 21 Dec 2005 17:32:42 -0500

---

You can't prevent domain admins from doing anything on a DC or in AD. You can certainly try but anything you do can be bypassed.

   joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

DV wrote:

Hi,

I was just wondering whether it is possible to remove the Domain Admins
group the ability to Delegate Control in active directory and allow
only a specific security group this permisson. IE Create a security
group called Delegation Admins and only allow this group the ability to
delegate control.

The scenario is as follows. I need to create a bunch of restricted
security groups and i plan on placing these under a Restricted Security
Group OU. Then i plan on removing the the Read Members, Write Members
permission from domain admins so they cannot add or remove members
within the restricted groups. Then i would create a group called
"Restricted Group Admins" or similar and give it permission to
Read/Write members and then add the Admins that do have permission to
modify the restricted group membership to this "restricted group
admins" group. Thats all fine.

What i would like is the ability to prevent Domain Admins from Re
Delegate Control of these particular attributes to themselves again..

Hope that makes sense.

Thanks for your help in advance.

Dominic

.

---

• Follow-Ups:
  • Re: Remove Domain Admins ability from "Delegation Of Control"
    • From: DV

• References:
  • Remove Domain Admins ability from "Delegation Of Control"
    • From: DV

• Prev by Date: Re: ActiveDirctory security questions
• Next by Date: Move Time Service from 2K to 2K3
• Previous by thread: Re: Remove Domain Admins ability from "Delegation Of Control"
• Next by thread: Re: Remove Domain Admins ability from "Delegation Of Control"
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Computer Management Security Question ... And the GPO with this restricted group definition ... > No, they are not domain administrators, they only administrators on their ... own machines. ... >> Sounds like you made your users domain admins instead of admin of their ... (microsoft.public.windows.server.security) Re: Access Denied in some Workstations for Domain Admins ... > you can't add a local user id back to a local group using this method ... Admins" to be a member, instead, make "Domain Admins" the restricted group ... >> Is this the proper command? ... (microsoft.public.windows.server.active_directory) Re: Remove Domain Admins ability from "Delegation Of Control" ... Domain Admins and administrators are very powerfull groups. ... There is no point of having a group that would only be able to delegate all ... Then i plan on removing the the Read Members, ... > modify the restricted group membership to this "restricted group ... (microsoft.public.win2000.active_directory) Re: Restricting Domain Admins ... domain admins group to the level that I require. ... > restricted group in a GPO with higher priority on the Domain Controllers ... >> Modify Permissions ... (microsoft.public.windows.server.security) Re: Unable to prevent OU deletion by Domain Admins? ... > that DENY ACLs trump any allow ACLs ... Deny permissions take precedence over allow ... the list of permission entries in the DACL. ... I understand that domain admins have the delete and delete subtree rights at the domain level. ... (microsoft.public.win2000.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)