Override a admin group User's environment using group policy.
-
Monday, February 14, 2011 5:50 AMIs it possible to add a user to Domain Admins group, grant him unlimited access and restrict him to some limits through group policy?
Answers
-
Monday, February 14, 2011 2:16 PM i suggest creating a group and granting permissions or delegating control for whatever resources you want this person to have admin rights to, and make him a member, or a member of the built in groups. that's the standard way when you don't want to give someone full control of a domain.
- Proposed As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Tuesday, February 15, 2011 7:13 AM
- Marked As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Friday, February 18, 2011 3:07 AM
All Replies
-
Monday, February 14, 2011 6:36 AM
Hi,
this is not possible and this is not good practice. "Domain Admins" and "Enterprise Administrators" groups should be restricted only to those users who really are on that possition and of course using best practices, you should work on regular account and use secondary logon only if it's necessary :)
AD has many built-in groups which allow to add users there for specific tasks administration. So, mabe you don't need to place user into "Domain Admins" but only to one or more those groups? Could you tell us what that user should be able to do?
This Microsoft article covers built-in groups in AD and explains what they do
http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
Regards, Krzysztof -
Monday, February 14, 2011 6:57 AM
Hello,
no, members of enterprise/domain admins group have full control, they are the highest admins in the domain or forest. You can't restrict them as they can revert any configured setting.
If you don't trust them don't make them admin.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Monday, February 14, 2011 8:47 AM
For single forest/domain, domain admins are everything, they can remove complete AD.
There is no restricted access for domain admin in a single domain forest apart from schema change.
Regards
Awinish Vishwakarma
Blog : http://awinish.wordpress.com
Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
Monday, February 14, 2011 11:55 AM
You can apply Group Policy settings to Domain Admins (via security group filtering) in the same manner as to any other security group. They will take effect - however, as Meinolf has pointed out, wit a bit of ingenuity, members of Domain Admins would be able to revert these restrictions - so this approach is not recommended (since it's not effective).
hth
Marcin -
Monday, February 14, 2011 2:16 PM i suggest creating a group and granting permissions or delegating control for whatever resources you want this person to have admin rights to, and make him a member, or a member of the built in groups. that's the standard way when you don't want to give someone full control of a domain.
- Proposed As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Tuesday, February 15, 2011 7:13 AM
- Marked As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Friday, February 18, 2011 3:07 AM
-
Friday, February 18, 2011 5:46 PMI want some users to stop/start services, Run some third party softwares without elevation request, and access shares easily.
.png){kind=spacer}
