Announcement

Collapse
No announcement yet.

Restrict Domain Admins to Edit GPOs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restrict Domain Admins to Edit GPOs

    Hi Everyone,

    In Win2k3 domain, I have to restrict the domain admins to create/Modify/Delete the Group Policy objects except 2 members. these 2 members are also the part of domains admins group (Not Enterprise).

    Please help....

    Early responces would be appreciated.

    Thanks
    Vishal

  • #2
    Re: Restrict Domain Admins to Edit GPOs

    Why not create a new security group with only those two admins and only grant them access to create/Modify/Delete group policy objects?

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Restrict Domain Admins to Edit GPOs

      Some things to read up on...

      Least Privilege

      Delegation of Control

      Delegate Group Policy Permissions
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: Restrict Domain Admins to Edit GPOs

        Thanks for the posting... But because of the member of Domain admins group, members still able to change/create/delete it

        Comment


        • #5
          Re: Restrict Domain Admins to Edit GPOs

          Thats true,
          So do they need to be an Domain Admin then?
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Restrict Domain Admins to Edit GPOs

            Originally posted by vishalily
            Thanks for the posting... But because of the member of Domain admins group, members still able to change/create/delete it
            Did you read up on the Least Privileges? Basically you only grant enough privileges for the person to do their job. Domain Admins is obviously too much privileges and you need to set up some custom groups and delegate control.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment

            Working...
            X