No announcement yet.

Restricting child domain admins

  • Filter
  • Time
  • Show
Clear All
new posts

  • Restricting child domain admins

    I have a 2012 AD deployed. We have 4 new offices coming up. We need to create child domains for each office and then have local admins who can manage that particular Domain only.

    How do restrict the local domain admins from changing the global polices and allow them to make changes to local users / PCs only.

    Kindly help with details.

  • #2
    If your child domain admins are not made members of the parent domain admin group, no delegated permissions, etc., then they won't have any authority above their own child domain. Create those accounts in the child domain only, and make sure they have no access to creds to log into the parent domain itself. That security model is how AD works, out of the box.
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **


    • #3
      Why are you creating domains for these offices?


      • #4
        Originally posted by joeqwerty View Post
        Why are you creating domains for these offices?
        Just what i was thinking.

        You can also achieve this using OU's and delegated control.