One user to modify domain group membership

Home Forums Microsoft Networking and Management Services Active Directory One user to modify domain group membership

Viewing 1 post (of 1 total)
  • Author
  • Avatar

    Is there a way to control which users are added to the Domain Admins group?

    We have a help desk where the HD users are able to create new users, add them to AD groups, etc.

    We would like to control who is added to the Domain Admins group by only allowing modifications to be made by either one specific user or a specific group of (high-level) users. We want to stop the HD users from adding themselves, or any other user, to the Domain Admins group.

    Is this possible?

    Windows 2003 SP2 Active Directory

    EDIT: I’ve had a look at the Restricted Groups setting in the Group Policy Editor. I’ve set this up with 8 domain users but I am experiencing one problem. It seems that the last user entered into the this GPO is, after some time, no longer appearing in the selected AD group, namely the Domain Admins group. And it seems that each time I modify the GPO, later in the day the last added member is dropped from the target group.

    I thought that maybe there would be another Restricted Groups setting in another GPO which is removing users from the Domain Admins group, but I have found nothing.

    What can I do to fix this issue?

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.