I think a good approach to this without going down the slippery slope of trying to redefine the rights of a Domain Admin (which has been discussed here before I believe) is to use something like MOM to monitor the Domain Admins and Administrators group for membership changes. That way anytime someone is added to those groups everyone is alerted to it and it is logged for eternity (or until your data retention policy overwrites it ;)
Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 08, 2005 7:01 PM To: [email protected] Subject: [ActiveDir] Problem: Limit Domain Admins and Administrators Problem: Need to lockdown Domain Admins and Administrators so that they can not add additional users the Domain Admins and Administrators group. Possible Solution: Remove the permission's from the Domain Admins and Administrators so that only Enterprise Admins can change their membership. Anyone got a better idea or know if the solution will not work ? Thank You ! And have a nice day ! ************************************************************** Mark Lunsford KAISER PERMANENTE Directory Services Identify Management (DSIM/NOS) Email: [EMAIL PROTECTED] Outside Phone: 925-926-5898 Tie Line Phone: 8-473-5898 C ell: 925-200-0047 Remedy Group: NOPS SCRTY DSIM NOS ************************************************************** List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
