Re: [ActiveDir] Revoke domain administrator's right to create GPO?

[Matt Hargraves]

I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD.  Changing the rights of the builtin admin groups isn't something that you should necessarily do, primarily because so many applications out there require special privileges and fail out because the application doesn't check to see if the user has the required rights, but instead checks to see if they're a member of the Domain Admins group.

Domain and Enterprise Admins are a very powerful group of people.  If you don't trust them to be able to do what they can do (or better yet, not do what they don't know how to do), then they shouldn't have those rights.  I know that it's a constant battle to try and keep our membership in these groups down.

Seriously... RBS is your friend.  Rip those people out of the Domain Admins group.  You can grant them the ability to do whatever they need to on users, computers or even OUs via AD security.  Do it there and keep people out of the Domain Admins group if you can.

On 7/31/06, Andy Wang <[EMAIL PROTECTED]> wrote:

Hi,

I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible?

Thanks in advance.

Andy