FAQ  Search  Memberlist  Usergroups  Register  Profile  Private messages  Log in

Deny Domain Admins adding computers

Forum Index -> microsoft.public.windows.server.active_directory

Author	Message
Rob Mann Guest	Posted: Thu May 18, 2006 7:12 pm    Post subject: Deny Domain Admins adding computers I have a handful of domain admins that I want to take away the ability to add computers to the domain while letting some keep this privilege. How can this be easily done? Thanks!
Back to top
Carlo Cacciafesta Guest	Posted: Thu May 18, 2006 7:36 pm    Post subject: RE: Deny Domain Admins adding computers "Rob Mann" wrote: Quote: I have a handful of domain admins that I want to take away the ability to add computers to the domain while letting some keep this privilege. How can this be easily done? Thanks! You could create a security group, add all those domain admins to it, edit domain security permissions and assing to that group the "Create Computer Objects" Deny permission. It is a solution but remember that a domain admin can change permissions... so this restriction could be useless. Regards, Carlo
Back to top
Rob Mann Guest	Posted: Thu May 18, 2006 8:16 pm    Post subject: Re: Deny Domain Admins adding computers Thanks for the quick response. Question - where do I edit the domain security permissions for the group? "Carlo Cacciafesta" <CarloCacciafesta@discussions.microsoft.com> wrote in message news:DEB1E0A8-830C-4F0F-BB76-FF4ABF827E64@microsoft.com... Quote: "Rob Mann" wrote: I have a handful of domain admins that I want to take away the ability to add computers to the domain while letting some keep this privilege. How can this be easily done? Thanks! You could create a security group, add all those domain admins to it, edit domain security permissions and assing to that group the "Create Computer Objects" Deny permission. It is a solution but remember that a domain admin can change permissions... so this restriction could be useless. Regards, Carlo
Back to top
Jorge de Almeida Pinto [M Guest	Posted: Fri May 19, 2006 12:30 am    Post subject: Re: Deny Domain Admins adding computers Domain Admins are the "gods" within an AD domain. Denying permissions does no good because Domain Admins can do anything they want -- Cheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Windows Server - Directory Services BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ----------------------------------------------------------------------------- * This posting is provided "AS IS" with no warranties and confers no rights! * Always test before implementing! ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- "Rob Mann" <wvpa.admin@gmail.com> wrote in message news:u%23spz1oeGHA.3572@TK2MSFTNGP03.phx.gbl... Quote: I have a handful of domain admins that I want to take away the ability to add computers to the domain while letting some keep this privilege. How can this be easily done? Thanks!
Back to top
Jorge Silva Guest	Posted: Fri May 19, 2006 2:10 am    Post subject: Re: Deny Domain Admins adding computers Hi remove these "Admins" from Domain Admins security group, create a new Security Group, add these users to that group, then you can delegate especific tasks. -- I hop that helps Good Luck Jorge Silva MCSA Systems Administrator "Rob Mann" <wvpa.admin@gmail.com> wrote in message news:u%23spz1oeGHA.3572@TK2MSFTNGP03.phx.gbl... Quote: I have a handful of domain admins that I want to take away the ability to add computers to the domain while letting some keep this privilege. How can this be easily done? Thanks!
Back to top
Carlo Cacciafesta Guest	Posted: Fri May 19, 2006 11:50 am    Post subject: Re: Deny Domain Admins adding computers "Rob Mann" wrote: Quote: Thanks for the quick response. Question - where do I edit the domain security permissions for the group? Open "Active Directory Users and Computers" snap-in. Right click the point of the structure where you want to modify permissions and select Properties. Go to the Security tab and make whatever change you want to do, for example add the group to which you want to deny Create Computer Objects permission. Remember that domain admins can change permissions and also that this suggestion I gave you is not a best practice. If you want to limit a user, you should apply the principle of least permissions that is (very simplified): start giving a user no administrative permissions, then give him only the permissions he strictly needs to work. Never add users to the Domain Admins group if you want them not to do something. Regards, Carlo
Back to top
Joe Richards [MVP] Guest	Posted: Fri May 19, 2006 6:42 pm    Post subject: Re: Deny Domain Admins adding computers You can not effectively prevent Domain Admins from doing anything. -- Joe Richards Microsoft MVP Windows Server Directory Services Author of O'Reilly Active Directory Third Edition www.joeware.net ---O'Reilly Active Directory Third Edition now available--- http://www.joeware.net/win/ad3e.htm Rob Mann wrote: Quote: I have a handful of domain admins that I want to take away the ability to add computers to the domain while letting some keep this privilege. How can this be easily done? Thanks!
Back to top
Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First

	Forum Index -> microsoft.public.windows.server.active_directory	All times are GMT
Page 1 of 1