Domain and Enterprise Admins are a very powerful group of people. If you don't trust them to be able to do what they can do (or better yet, not do what they don't know how to do), then they shouldn't have those rights. I know that it's a constant battle to try and keep our membership in these groups down.
Seriously... RBS is your friend. Rip those people out of the Domain Admins group. You can grant them the ability to do whatever they need to on users, computers or even OUs via AD security. Do it there and keep people out of the Domain Admins group if you can.
On 7/31/06, Andy Wang <[EMAIL PROTECTED]> wrote:
Hi,
I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible?
Thanks in advance.
Andy