Re: Restrict the Domain Admin
From: Christos Triantafyllidis (ctria_at_physics.auth.gr)
Date: Sun, 18 Sep 2005 00:13:53 +0300 To: firstname.lastname@example.org
> Hi List,
> Is there a way to restrict access of a Domain Admin?
> Example, can we allow a Dommain admin to do everything EXCEPT user management (e.g. password reset)?
This won't be a "Domain admin"
> We want to secure our environment, and do not want to have "ALL-POWERFULL" domain admins around
> Thanks for your suggestions
> P.S. Environment: Windows (2000 & 2003) - Active Directory
The best you can use is limit your domain admin account to the people
that should be domain admins. Add a new custom group for each privilege
that Active Directory allows you to have, and make users members of the
groups they should be.
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature