Q. How can I restrict a domain administrator from creating users or performing a function?

A. You can't. A domain administrator effectively owns the domain. If you don't trust people, don't make them domain administrators. A domain/forest should have a very small number of domain administrators. All other administrators should be delegated control over particular OUs, objects, or attributes of objects. If you need select users to have administrator rights on certain domain member computers, use Group Policy restricted groups or a script to make those users local administrators—don't make them domain administrators.

You could try to set certain deny permissions on objects, but in the end, if domain administrators really wanted to, they could undo it.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.