Avoid Dom Admin to remove Enterprise admin

From: MSCA (sir_g_phobos@yahoo.com)
Date: 06/12/02


From: "MSCA" <sir_g_phobos@yahoo.com>
Date: Wed, 12 Jun 2002 05:42:32 -0700


Use GroupPolicy 'Restricted groups' to resolve this issue.

>-----Original Message-----
>Hi,
>I need to force that Domain Admins from child domain are
>not able to remove Enterprise admins from the
>Administrators group. I can't find any solution on the
>technet or on MS web page.
>Please, can anyone help me? any clue?
>.
>



Relevant Pages

  • Re: script to list users and groups in domain admin and local admi
    ... >> Domain admins membership can be determined easily enough in Active ... >> using the net command and such to enumerate local administrators. ... If you want to use Restricted Groups ... >>>I am looking for a script or guidance to write a script that will list ...
    (microsoft.public.win2000.security)
  • Re: Avoid Dom Admin to remove Enterprise admin
    ... That's not a solution since the domain admins in the child domain will ... be able to modify the GPO that contains the Restricted Groups policy. ... A fine is a tax for doing wrong. ...
    (microsoft.public.win2000.security)
  • Re: Restrict User Creation - Administrators/DomainAdmins/EnterpriseAdmins
    ... One thing about Restricted Groups that gets a lot of people when doing this for the first time: make sure to include Domain Admins. ... Please be advised that - out of the box - that the Restricted Groups GPO will flush the members of your 'focus group' and then populate it with what you specify. ... Do this on a WINXP / WIN Vista / Member Server box with the appropriate 'Admin tools' installed. ... Delegation is about taking a group of users (create a Security Group ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security on single forest domain design
    ... Here is where I mention Restricted Groups and here is where Paul mentions ... The problem with the startup script is that it does not prevent other ... Domain Admins and Schema Admins. ... the local group Administrators on each member workstations or servers, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restricted Groups Problem
    ... Just create a restricted group for administrators and assign Domain Admins ... I have since deleted the restricted groups setting in the ... > group on all XP machines as quickly as possible? ...
    (microsoft.public.win2000.group_policy)