Restricting Domain Admins ability to edit Global Group Membership

Home Forums Microsoft Networking and Management Services Active Directory Restricting Domain Admins ability to edit Global Group Membership

Viewing 1 post (of 1 total)
  • Author
  • Avatar

    Hi There,

    I was googling the above issue when I found these forums through a similar post on these forums however it came close to our issue but not exactly.

    In our organisation we have way too many Domain Admins on the network, we’ve been fighting within the IT Department for many years about reducing the number of Domain Admins but like so many other things politics maintains the status quo.

    However we have a system where only the Access Management team has the authorisation to make changes to Global Group membership. Global Group membership is how we control access to virtually everything and only after a process of two approvals by two levels of management are any global groups be added to a user. However because so many people within IT have Domain Admin, they technically have the ability to add people to groups but they shouldn’t be doing it. But as you’ve probably guessed at this stage, they do make changes to the groups.

    We have a reporting utility that sends us emails when people outside of the Access Management team make changes to Global Group membership so that we know who changes what and when. However it has happened too many times now and we want to take action.

    If they’re not willing to examine what permissions they need to have instead of Domain Admin, then we want to prevent them from making group membership changes.

    I know a group can be made which will grant the ability of adding global group membership and therefore a group can be made which would deny that access to people, but if I apply that group to an account which has Domain Admin, would that stop the account from changing any Global Group membership?

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.