|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Restrict managing AD ojectsHi,
I want to restrict some members of Domain Administrator group only to read AD. It means no reseting passwords, no deleting users or other objects, no making new objects, only read. Is this possible and how? Thanx in advance! Take those members out of Domain Admins and place them in Domain Users
Show quoteHide quote "panzer75" <panze***@discussions.microsoft.com> wrote in message news:F42304FB-2C49-454D-BE7A-D7B9B1FE2C76@microsoft.com... > Hi, > > I want to restrict some members of Domain Administrator group only to read > AD. > It means no reseting passwords, no deleting users or other objects, no > making new objects, only read. > > Is this possible and how? > > Thanx in advance! Hi
I believe this doesn't work because the Domain Admins are Windows Protected Group and after an hour the PDC would replace permissions according with AdminSDHolder object. -- Show quoteHide quoteI hope that the information above helps you Good Luck Jorge Silva MCSA Systems Administrator "panzer75" <panze***@discussions.microsoft.com> wrote in message news:F42304FB-2C49-454D-BE7A-D7B9B1FE2C76@microsoft.com... > Hi, > > I want to restrict some members of Domain Administrator group only to read > AD. > It means no reseting passwords, no deleting users or other objects, no > making new objects, only read. > > Is this possible and how? > > Thanx in advance!
Show quote
Hide quote
"Jorge Silva" wrote: problem is that they must be DomainAdmins....> Hi > > I believe this doesn't work because the Domain Admins are Windows Protected > Group and after an hour the PDC would replace permissions according with > AdminSDHolder object. > > -- > I hope that the information above helps you > > Good Luck > Jorge Silva > MCSA > Systems Administrator > > "panzer75" <panze***@discussions.microsoft.com> wrote in message > news:F42304FB-2C49-454D-BE7A-D7B9B1FE2C76@microsoft.com... > > Hi, > > > > I want to restrict some members of Domain Administrator group only to read > > AD. > > It means no reseting passwords, no deleting users or other objects, no > > making new objects, only read. > > > > Is this possible and how? > > > > Thanx in advance! > > > Hi, Or maybe to put them in some other group similar to DomainAdmins? Is there group similar to that? Why they need to be Domain Admins?
Protected groups are Windows 2000 Enterprise Admins Schema Admins Domain Admins Administrators Administrators For Windows 2000 SP4 or Windows 2003 Account Operators Server Operators Print Operators Backup Operators Domain Admins Schema Admins Enterprise Admins Cert Publishers -- Show quoteHide quoteI hope that the information above helps you Good Luck Jorge Silva MCSA Systems Administrator "panzer75" <panze***@discussions.microsoft.com> wrote in message news:E9D7C355-85C7-4DEA-ACDC-6C32E6300841@microsoft.com... > > > "Jorge Silva" wrote: > >> Hi >> >> I believe this doesn't work because the Domain Admins are Windows >> Protected >> Group and after an hour the PDC would replace permissions according with >> AdminSDHolder object. >> >> -- >> I hope that the information above helps you >> >> Good Luck >> Jorge Silva >> MCSA >> Systems Administrator >> >> "panzer75" <panze***@discussions.microsoft.com> wrote in message >> news:F42304FB-2C49-454D-BE7A-D7B9B1FE2C76@microsoft.com... >> > Hi, >> > >> > I want to restrict some members of Domain Administrator group only to >> > read >> > AD. >> > It means no reseting passwords, no deleting users or other objects, no >> > making new objects, only read. >> > >> > Is this possible and how? >> > >> > Thanx in advance! >> >> >> Hi, > > problem is that they must be DomainAdmins.... > > Or maybe to put them in some other group similar to DomainAdmins? > > Is there group similar to that? Well they have to have more rights than simple user.
I just want to restrict them for AD. Maybe server operators group can be enough? Hi
> Well they have to have more rights than simple user. Well I can't answer that because you didn't told me exacly why they need to > I just want to restrict them for AD. > Maybe server operators group can be enough? be domain Admins. Server Operator Groups are also a protected group. -- Show quoteHide quoteI hope that the information above helps you Good Luck Jorge Silva MCSA Systems Administrator "panzer75" <panze***@discussions.microsoft.com> wrote in message news:A0A6793F-21C9-47F3-A397-FE388F5DD4A9@microsoft.com... > Well they have to have more rights than simple user. > > I just want to restrict them for AD. > > Maybe server operators group can be enough? They must access to various servers and clients through administrative share
($) and other things that users can not do. Give them admin rights on assets they need to manage. Otherwise they can
just stay as members of Domain Users Show quoteHide quote "panzer75" <panze***@discussions.microsoft.com> wrote in message news:A0A6793F-21C9-47F3-A397-FE388F5DD4A9@microsoft.com... > Well they have to have more rights than simple user. > > I just want to restrict them for AD. > > Maybe server operators group can be enough? Yea, but I have >500 PCs and >40 servers....
I need some posibillity to restrict them from one place... You could use group policy "restricted groups" or possibly a script to add a
group containing the relevent persons into the local admin group of these PC/Servers. This would be best practice. Show quoteHide quote "panzer75" <panze***@discussions.microsoft.com> wrote in message news:580B24B4-D064-42BD-A7BD-9DAE65C97680@microsoft.com... > Yea, but I have >500 PCs and >40 servers.... > I need some posibillity to restrict them from one place... You cannot restrict Domain Admins.
-- Show quoteHide quoteJoe Richards Microsoft MVP Windows Server Directory Services Author of O'Reilly Active Directory Third Edition www.joeware.net ---O'Reilly Active Directory Third Edition now available--- http://www.joeware.net/win/ad3e.htm panzer75 wrote: > Hi, > > I want to restrict some members of Domain Administrator group only to read AD. > It means no reseting passwords, no deleting users or other objects, no > making new objects, only read. > > Is this possible and how? > > Thanx in advance! impossible!
as someone else said: remove them from the group... the only way ask yourself... if you don't want them to do anything... why are they in the domain admins group? -- Show quoteHide quoteCheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Windows Server - Directory Services BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx ------------------------------------------------------------------------------------------ * This posting is provided "AS IS" with no warranties and confers no rights! * Always test before implementing! ------------------------------------------------------------------------------------------ ################################################# ################################################# ------------------------------------------------------------------------------------------ "panzer75" <panze***@discussions.microsoft.com> wrote in message news:F42304FB-2C49-454D-BE7A-D7B9B1FE2C76@microsoft.com... > Hi, > > I want to restrict some members of Domain Administrator group only to read > AD. > It means no reseting passwords, no deleting users or other objects, no > making new objects, only read. > > Is this possible and how? > > Thanx in advance! 
Other interesting topics
AD, DHCP or maybe DNS problem?
adprep.exe /forestprep R2 on 2003 domain fails Problem with DC use of .local domain for remote site vs rea domain name Moving DC`s to other OU`s group policy question on workstation and terminal server for same How to Rename and Address computers in a AD domain Domain controller replication How to remove individual ACEs from ADAM directory object Need to input the account and password when access "\\DC\netlogon" |
|||||||||||||||||||||||
