none
Restricted Group for Domain Admins

    Question

  • Hi

    We are creating Restricted Groups for Domain, Enterprise & Schema Admins. So with which GPO we need to apply this setting, with Default Domain Policy or with Default Domain Controllers Policy?

    Thanks in advance



    LMS

    Monday, April 3, 2017 6:10 AM

Answers

  • Anyone with permissions to manage the membership of these groups cannot be restricted in who they add to the groups. You must be able to trust users with administrator privileges. This why the membership in privileged/admin groups must be restricted to people that can be trusted.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, April 3, 2017 12:08 PM
  • I believe there is no need to spare a GPO to restrict membership of Domain Admins and other sensitive builtin groups. These groups only reside at domain level, why you would secure them if they are already secured? just remove the unauthorized users from them and make sure no delegation can be used to re-modify the membership.


    Mahdi Tehrani | | www.mahditehrani.ir
    Make sure to download my free PowerShell scripts:

    Tuesday, April 4, 2017 2:01 PM
    Moderator
  • If you mean to remove these groups with local admins on computers,you should configure on DDP.(as you said old policy already configured on DDP.)

     Also you shouldn't remove domain admins from computers(from local admins),but enterprise and schema groups can be removed.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, April 3, 2017 11:33 AM
  • Hi

    Our intention is not to add these Domain groups to any local groups, but to restrict memberships of Domain Admins / Enterprise Admins and Schema Admins. At present it's configured with Default Domain Policy, but we doubt whether can we apply at Default Domain Controllers policy

    Regards


    LMS

    It is not recommended to edit Default Domain Policy or Default Domain Controllers policy, you have to create new policy to manage any settings. For your task you can create a new GPO and link it to Domain Controllers OU (or edit DDCP of course, if you want, but...:)


    MCSAnykey

    Monday, April 3, 2017 1:37 PM

All replies

  • Hi

     Default Domain Policy >> Apply settings whole domain.

     Default Domain Controllers Policy >>> Apply settings only DC's.

    So if you need add these groups to specific groups on local computers just configure a new GPO ,set restricted groups and apply the related OU.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, April 3, 2017 7:17 AM
  • Hi

    Our intention is not to add these Domain groups to any local groups, but to restrict memberships of Domain Admins / Enterprise Admins and Schema Admins. At present it's configured with Default Domain Policy, but we doubt whether can we apply at Default Domain Controllers policy

    Regards


    LMS

    Monday, April 3, 2017 8:35 AM
  • If you mean to remove these groups with local admins on computers,you should configure on DDP.(as you said old policy already configured on DDP.)

     Also you shouldn't remove domain admins from computers(from local admins),but enterprise and schema groups can be removed.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, April 3, 2017 11:33 AM
  • Anyone with permissions to manage the membership of these groups cannot be restricted in who they add to the groups. You must be able to trust users with administrator privileges. This why the membership in privileged/admin groups must be restricted to people that can be trusted.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, April 3, 2017 12:08 PM
  • Hi

    Our intention is not to add these Domain groups to any local groups, but to restrict memberships of Domain Admins / Enterprise Admins and Schema Admins. At present it's configured with Default Domain Policy, but we doubt whether can we apply at Default Domain Controllers policy

    Regards


    LMS

    It is not recommended to edit Default Domain Policy or Default Domain Controllers policy, you have to create new policy to manage any settings. For your task you can create a new GPO and link it to Domain Controllers OU (or edit DDCP of course, if you want, but...:)


    MCSAnykey

    Monday, April 3, 2017 1:37 PM
  • I believe there is no need to spare a GPO to restrict membership of Domain Admins and other sensitive builtin groups. These groups only reside at domain level, why you would secure them if they are already secured? just remove the unauthorized users from them and make sure no delegation can be used to re-modify the membership.


    Mahdi Tehrani | | www.mahditehrani.ir
    Make sure to download my free PowerShell scripts:

    Tuesday, April 4, 2017 2:01 PM
    Moderator
  • yes you can create a restricted groups gpo and apply it to default domain controllers policy. If anyone adds any member to the groups, it will be removed by the DC unless it was added through the GPO. we use it in our work place and works perfectly fine. Let me know if you have any questions on it
    Tuesday, April 4, 2017 10:02 PM
  • the reason why some companies implement this is , because , an enterprise admin can add other users to the enterprise admin group. In that case, the restricted group gpo will be able to remove the user added, unless it is added by editing the appropriate GPO.

    For large organizations which use AGPM or advanced group policy management, this becomes a good way of tracking who/what/where/when and request numbers for adding to sensitive groups. Also note that GPO's apply to domain controllers every 5 minutes. Hence the unauthorized user will be removed + group policy alerting can be setup in addition as well. All in all a nice way to capture details.

    Wednesday, April 12, 2017 3:26 AM