|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Restrict admins from creating user accountsWe use a user provisioning system and want to disallow all domain admins from
creating user accounts except for a few any ideas on easily accomplishing this? I did manipulate the rights for a newly created group and set myself up in it but no success. -Pierre What ever you do as an administrator they as administrator can undo.
A written policy signed by all involved is probably your best option. hth DDS Show quoteHide quote "Pierre" <Pie***@discussions.microsoft.com> wrote in message news:88376235-4359-4372-97F3-B32295BC9483@microsoft.com... > We use a user provisioning system and want to disallow all domain admins > from > creating user accounts except for a few > > any ideas on easily accomplishing this? I did manipulate the rights for a > newly created group and set myself up in it but no success. > > -Pierre "Pierre" <Pie***@discussions.microsoft.com> wrote in message You cannot restrict Domain Admins. They must be trusted. The membership news:88376235-4359-4372-97F3-B32295BC9483@microsoft.com... > We use a user provisioning system and want to disallow all domain admins > from > creating user accounts except for a few > > any ideas on easily accomplishing this? I did manipulate the rights for a > newly created group and set myself up in it but no success. > > -Pierre should be limited. Create another group and grant the new group only the permissions required. ah huh? thanks
Show quoteHide quote "Richard Mueller [MVP]" wrote: > > "Pierre" <Pie***@discussions.microsoft.com> wrote in message > news:88376235-4359-4372-97F3-B32295BC9483@microsoft.com... > > We use a user provisioning system and want to disallow all domain admins > > from > > creating user accounts except for a few > > > > any ideas on easily accomplishing this? I did manipulate the rights for a > > newly created group and set myself up in it but no success. > > > > -Pierre > > You cannot restrict Domain Admins. They must be trusted. The membership > should be limited. Create another group and grant the new group only the > permissions required. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > > 
Other interesting topics
Not Pulling an IP
AD Container VB Script returns all group memberships for a user EXCEPT Exchange Dist groups Domain functional level changing domain name DNS during Domain Controller demotion Delegate ad workstations to domain Demotion doesn't properly remove server from DNS Best way to give local admin rights only across the domain disabling 3g modems that connect to PCs via usb and pcmcia |
|||||||||||||||||||||||
