Home > IT Answers > Security > Active Directory Privileges for new admins
Help

Question

  Asked: May 12 2008   3:37 PM GMT
  Asked by: Windows Security ATE

Active Directory Privileges for new admins


Windows Security, Active Directory, Administrative privileges, .

When a new user is added to our Active Directory database, by default, that user has access to all machines. Is there any way to change the domain policy so that, when a user is added, machines are added with this access level by default but, at the same time, deny this option for a second tier admin group? In other words, we have a group with their own admin who is coming into our group, and we would like to make it so this new admin cannot allow their users access to all of our machines.

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: May 12 2008  8:07 PM GMT  by Labnuke99




It sounds like the user is being added to the Domain Administrators group. Simply make sure their account is part of Domain Users and that Domain Users is not in the Local Administrators group on the devices in question. Otherwise, you will need to go through a delegated administrative rights exercise to filter privileges. This is best done using OU and GPO management.
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Security and Microsoft Windows.

Looking for relevant Security Whitepapers? Visit the SearchSecurity.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register