Q. How can I restrict a domain administrator from creating users or performing a function?

John Savill

July 1, 2010

1 Min Read
ITPro Today logo in a gray background | ITPro Today

A. You can't. A domain administrator effectively owns the domain. If you don't trust people, don't make them domain administrators. A domain/forest should have a very small number of domain administrators. All other administrators should be delegated control over particular OUs, objects, or attributes of objects. If you need select users to have administrator rights on certain domain member computers, use Group Policy restricted groups or a script to make those users local administrators—don't make them domain administrators.

You could try to set certain deny permissions on objects, but in the end, if domain administrators really wanted to, they could undo it.

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like