Membership Of Domain Admin & Enterprise admin
in a ou , how can don't let anyone to be member of domain admin & enterprise admin
am i how to set a policy ?
August 15th, 2010 11:59am
hi,
you can setup a script to do this.
1. Script to query the members of the OU
2. if the members of the OU is an user object, then check if they are member of either domain admin or enterprise admin
3. if they are, remove them.
4. Set this script as a scheduled tasks like for every 5 mins.
thanks
ThiyaguThiyagu | MCTS/MCITP - Exchange 2007 | MCSE 2003[Messaging] | http://www.myExchangeWorld.com. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
August 15th, 2010 12:04pm
The best approach is by using a GPO adn to limit the membership in the Administrator's group in the domain. Membership in this domain has control over all groups defined.
You could easily create a new group policy object and take use the "Restricted Groups" settings to maintain the memberships of domain admins and enterprise admins. Apply it to the Domain Controllers OU. There is no need for scheduing any jobs
as you can control the refresh rate of the GPO. The Default Domain Contorllers policy already refershes every 5 min.
Florian has a good article on this topic:
http://www.frickelsoft.net/blog/?p=13
Visit: anITKB.com, an IT Knowledge Base.
August 15th, 2010 10:55pm