You can't. Period.
Solution: Don't give these people who are untrustworthy
administrator or any native group access and don't let them log on interactively
to your DCs or allow them to modify the file systems nor registry nor services.
Summary: You can't. Period.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 08, 2005 7:01 PM
To: [email protected]
Subject: [ActiveDir] Problem: Limit Domain Admins and Administrators
Problem:
Need to lockdown Domain Admins and Administrators so that they can not add
additional users the Domain Admins and Administrators group.
Possible Solution:
Remove the permission's from the Domain Admins and Administrators so that
only Enterprise Admins can change their membership.
Anyone got a better idea or know if the solution will not work ?
Thank You ! And have a nice day !
**************************************************************
Mark Lunsford
KAISER PERMANENTE
Directory Services Identify Management (DSIM/NOS)
Email: [EMAIL PROTECTED]
Outside Phone: 925-926-5898
Tie Line Phone: 8-473-5898
C ell: 925-200-0047
Remedy Group: NOPS SCRTY DSIM NOS
**************************************************************
