Is there a way to control which users are added to the Domain Admins group?
We have a help desk where the HD users are able to create new users, add them to AD groups, etc.
We would like to control who is added to the Domain Admins group by only allowing modifications to be made by either one specific user or a specific group of (high-level) users. We want to stop the HD users from adding themselves, or any other user, to the Domain Admins group.
Is this possible?
Windows 2003 SP2 Active Directory
EDIT: I’ve had a look at the Restricted Groups setting in the Group Policy Editor. I’ve set this up with 8 domain users but I am experiencing one problem. It seems that the last user entered into the this GPO is, after some time, no longer appearing in the selected AD group, namely the Domain Admins group. And it seems that each time I modify the GPO, later in the day the last added member is dropped from the target group.
I thought that maybe there would be another Restricted Groups setting in another GPO which is removing users from the Domain Admins group, but I have found nothing.
What can I do to fix this issue?
You must be logged in to reply to this topic.
Create a free account today to participate in forum conversations, comment on posts and more.