Announcement

Collapse
No announcement yet.

One user to modify domain group membership

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • One user to modify domain group membership

    Is there a way to control which users are added to the Domain Admins group?

    We have a help desk where the HD users are able to create new users, add them to AD groups, etc.

    We would like to control who is added to the Domain Admins group by only allowing modifications to be made by either one specific user or a specific group of (high-level) users. We want to stop the HD users from adding themselves, or any other user, to the Domain Admins group.

    Is this possible?

    Windows 2003 SP2 Active Directory

    EDIT: I've had a look at the Restricted Groups setting in the Group Policy Editor. I've set this up with 8 domain users but I am experiencing one problem. It seems that the last user entered into the this GPO is, after some time, no longer appearing in the selected AD group, namely the Domain Admins group. And it seems that each time I modify the GPO, later in the day the last added member is dropped from the target group.

    I thought that maybe there would be another Restricted Groups setting in another GPO which is removing users from the Domain Admins group, but I have found nothing.

    What can I do to fix this issue?
    Last edited by JDMils; 17th September 2007, 01:59.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: One user to modify domain group membership

    Nobody can add themselves to "Domain Admins" unless they are given that right by a member of Domain Admins or DOMAIN\BUILTIN\Administrators. Make your Helpdesk agents "Account Operators" and delegate "Full Control" rights over your "User" OU's. Put all admin accounts (including theirs) into a separate OU and allocate permissions to "Account Operators" for "Read Only" on objects in that OU - except for changing their own password etc.

    I don't understand your second enquiry at all... please say again exactly what's happening and what you're trying to do.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: One user to modify domain group membership

      Wrt the second question, our Domain Admins group is populated thru a GPO. This is related to the first question where if one of the Help Desk users adds themselves or another user to Domain Admins then the GPO will over-write that with the users WE selected- sort of a security measure on our part (one which I am not too happy with).

      What seems to happen is when we edit the GPO to add a new Domain Admin user, we find that when the GPO is applied, one of the users in the GPO list is not added to the Domain Admins group.

      Thus, if your answer works for us, I can get rid of the GPO and I'll buy you a
      |
      +-- JDMils
      |
      +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
      |

      Comment

      Working...
      X