locked
Restrict Privileged Domain Groups RRS feed

  • Question

  • Hi Support,

    I want to customize below Domain Groups permission. like if i have assigned backup operator to any one of the admin after that they can only manage backup part and Restrict to do any thing related to active directory users, groups, computer, group polices etc.

    2nd i have assign RDP access after that admin can't be make any changes on active directory or any other services. 

    • Enterprise Admins
    • Domain Admins
    • Schema Admin
    • BUILTIN\Administrators
    • Account Operators
    • Backup Operators
    • Print Operators
    • Server Operators
    • Domain Controllers
    • Read-only Domain Controllers
    • Group Policy Creators Owners
    • Cryptographic Operators

    Friday, June 28, 2019 7:02 AM

Answers

  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by PK_TECHNET Saturday, August 3, 2019 7:19 AM
    Friday, July 5, 2019 2:27 AM

All replies

  • Hi,

    Not sure if I have understood your question. However, you can't change the default behaviour and permissions assigned to these default groups. Once you add users into either of this group, user will get all the permissions the group has.

    Thanks,

    Umesh.S.K

    Friday, June 28, 2019 8:12 AM
  • Hi Umesh,

    can i create one group and customize permission then it will work

    Friday, June 28, 2019 5:24 PM
  • Hello,
    Thank you for posting in our TechNet forum.

    I agree with Umesh, we can not change the default ACL of these protected groups. 

    From
    AdminSDHolder, Protected Groups and SDPROP, we can see:

    Each Active Directory domain has an object called AdminSDHolder, which resides in the System container of the domain. The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups (what I like to call "protected" groups). Every hour, a background process runs on the domain controller that holds the PDC Emulator operations master role. It compares the ACL on all security principals (users, groups and computer accounts) that belong to protected groups against the ACL on the AdminSDHolder object. If the size or the binary string is different, the security descriptor on the object is overwritten by the security descriptor from the AdminSDHolder object.

    We can try to create one group and assign the group the specific permissions according to our need.



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 1, 2019 7:19 AM
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 3, 2019 8:18 AM
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by PK_TECHNET Saturday, August 3, 2019 7:19 AM
    Friday, July 5, 2019 2:27 AM