RE: [ActiveDir] Revoke domain administrator's right to create GPO?

[Grillenmeier, Guido]

Well, at least Darren posted another mail regarding “security by obscurity” – which this is.  It’s just like removing the Domain Admins group from the local administrators group on member servers “to secure the member server”…   Just because many of those domain admins don’t know why they may be missing some permissions and have no clue how to fix it, doesn’t mean that you’re protected from them.  Some may even cause more harm by trying to regain access once you’ve removed it for the group. And GPOs are certainly not your only worry in a domain with too many domain admins.   So – as many have already stated and I’m happy to chime in - don’t try to fix the wrong thing. Instead remove all those users from the Domain Admins group, which you would have otherwise not added to the Group Policy Creator Owners group…  You’ll now need to find ways to delegate the tasks that the ex-Domain Admins performed when they were still in the group.   For example you may need to create few groups and add these to the local admin groups on the appropriate machines (such as a ComputerAdmin and ServerAdmins groups that will grant admin access to all workstations and member-servers respectively – if this is what your admins need). Then add those ex-Domain Admins to these groups.  Your Domain Admins can add these groups to the local admin groups on the respective machines via Group Policy…   /Guido       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, July 31, 2006 11:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Revoke domain administrator's right to create GPO?   Andy- Yes, its possible. There are actually two steps here. If you have GPMC, highlight the Group Policy Objects node on your domain and choose the Delegation tab. From here, you can delegate which groups can create GPOs in the domain. However, even if you remove Domain Admins from this list, what you will notice is that, when a GPO gets created by someone legitimately, the Domain Admins group will still have edit rights over that GPO. This is because the defaultSecurityDescriptor attribute on the groupPolicyContainer schema class object includes this group when any new objects are created. In order to change this, you will need to modify this attribute in the schema (e.g. using ADSIEdit) to remove that group from the SDDL list stored in that attribute.   Darren   Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang Sent: Monday, July 31, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Revoke domain administrator's right to create GPO? Hi, I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance. Andy