PDA

View Full Version : restricting administrators

pdk
Is it possible to restrict members of the administrators
so that they can add them selves to a higher ranking group
e.g. Domain Admininistrators

If not does anyone know of other tools ??
Mark-Allen
Not sure about your question.

Local administrators cannot normally make themselves Domain Administrators. Only a Domain admin or an Enterprise admin can add their name to the domain group.

But Domain Admins are local admins by default on all domain registered machines.

Does this help?

--
Mark-Allen Perry
ALPHA Systems, Switzerland
mark-allen AT mvps DOT org

"pdk" wrote in message news:474c01c47359$56c6f6e0$a601280a@phx.gbl...
Is it possible to restrict members of the administrators
so that they can add them selves to a higher ranking group
e.g. Domain Admininistrators

If not does anyone know of other tools ??
pdk

Let me make it more specific

Members of the administrators group found in ADUC
administrators group can add themselves to higher level
groups. It is this ability that I want to restrict. But is
it possible ??


>-----Original Message-----
>Not sure about your question.
>
>Local administrators cannot normally make themselves
Domain Administrators. Only a Domain admin or an
Enterprise admin can add their name to the domain group.
>
>But Domain Admins are local admins by default on all
domain registered machines.
>
>Does this help?
>
>--
>Mark-Allen Perry
>ALPHA Systems, Switzerland
>mark-allen AT mvps DOT org
>
> "pdk" wrote in
message news:474c01c47359$56c6f6e0$a601280a@phx.gbl...
> Is it possible to restrict members of the
administrators
> so that they can add them selves to a higher ranking
group
> e.g. Domain Admininistrators
>
> If not does anyone know of other tools ??
Steven L Umbach
Any user in the administrators group for the domain as shown in AD Users and
Computers administrators is all powerful in the domain [possibly for the forest if in
the root domain] and can not be restricted in a way that the administrator can not
undo. --- Steve


"pdk" wrote in message
news:474c01c47359$56c6f6e0$a601280a@phx.gbl...
> Is it possible to restrict members of the administrators
> so that they can add them selves to a higher ranking group
> e.g. Domain Admininistrators
>
> If not does anyone know of other tools ??


Joe Richards [MVP]
No. Don't make them an administrator unless you trust them implicitly.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



pdk wrote:
> Is it possible to restrict members of the administrators
> so that they can add them selves to a higher ranking group
> e.g. Domain Admininistrators
>
> If not does anyone know of other tools ??