This is impossible the way you are addressing it-> giving everything and removing some to realize the permissions needed. It is better to do it the other way around-> give ONLY what is needed
There have been a lot of threads concerning this and if you check the list archives you'll see a similar answer. If someone is a member of the groups "enterprise admins, domain admins, administrators", then that someone is GOD on your AD infrastructure. It is that simple! What are the tasks you want a certain person to be able to do? (please don't say "everything but that and that and that....") One good starter for delegation of tasks see http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa- 9730-dae7c0a1d6d3&DisplayLang=en enter "delegation of control" in google and you'll find tons of info Cheers #JORGE# -----Original Message----- From: [EMAIL PROTECTED] To: [email protected] Sent: 5/5/2005 10:27 AM Subject: [ActiveDir] Deny active directory right to a enterprise admin user Hi, I have made a user member of Enterprise Group. Now I want, that the user should not be able to perform any active directory related task. Or in other words - How to deny the permission to a enterprise Admin Group user to perform active directory task, He should even able to open the Active Directory User and computer console and not be able to any file related task. Please tell me it can be using ADSI edit. Thanks, Manjeet This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
