Except for DCs ... but hopefully that can be managed with a secondary account for a couple of staff only! ;o) +1000 for having under 5 DAs in any domain! Ridiculous power trip on every occasion with even non-operations managers wanting to be in there as a sign of "seniority"! a
________________________________ From: David Lum [mailto:[email protected]] Sent: 30 September 2010 14:23 To: NT System Admin Issues Subject: RE: Restricting groups in Active Directory Ask why they need to be domain admins and not just have the necessary permissions delegated. My Service Desk guys were domain admins from the day they started (in some cases years) and they insisted they needed to be domain admins to do x,y and z. Oddly, I was able to delegate the necessary functions and they haven't been domain admins for many months now. The Win2K servers was sticky since it doesn't have a "Remote Desktop User" group, but restricted groups helped me out there - they local admins on Win2K Servers boxes but not domain admins. You can make them local admins of server w/out them being domain admins, and using GPO's you'll be able to track who is admin on what instead of going to each machine one by one. No clue if this would help what you're fighting though.... Dave ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
