in a ou , how can don't let anyone to be member of domain admin & enterprise admin am i how to set a policy ?

hi, you can setup a script to do this. 1. Script to query the members of the OU 2. if the members of the OU is an user object, then check if they are member of either domain admin or enterprise admin 3. if they are, remove them. 4. Set this script as a scheduled tasks like for every 5 mins. thanks ThiyaguThiyagu | MCTS/MCITP - Exchange 2007 | MCSE 2003[Messaging] | http://www.myExchangeWorld.com. This posting is provided "AS IS" with no warranties, and confers no rights.

The best approach is by using a GPO adn to limit the membership in the Administrator's group in the domain. Membership in this domain has control over all groups defined. You could easily create a new group policy object and take use the "Restricted Groups" settings to maintain the memberships of domain admins and enterprise admins. Apply it to the Domain Controllers OU. There is no need for scheduing any jobs as you can control the refresh rate of the GPO. The Default Domain Contorllers policy already refershes every 5 min. Florian has a good article on this topic: http://www.frickelsoft.net/blog/?p=13 Visit: anITKB.com, an IT Knowledge Base.