Ask the Expert

How can we restrict the ability to edit group policies to a subgroup of domain admins (just senior a

Hi, Roberta. We want to restrict the ability to edit group policies in Active Directory to a subgroup of domain admins (e.g., the senior administrators). All administrators still need be members of domain admins for completing other administrative tasks, except that the junior administrators will not be allowed to edit group policies. How do I go about achieving this?
As you know, by default domain admins have the right to create group policy, manage group policy and modify GPO links. Additional users can be given the right to create and manage their own GPOs by adding them to the group "Group Policy Creator Owners Group." However, to restrict administrators, you must take a different tack. Two possible approaches are:
  • Prevent some administrators from using group policy administration tools. Place admins you want to restrict in an OU (organizational unit) on which you create a GPO and restrict access. An administrative template property that can be used is the "Administrative Templates, Windows Component, Microsoft Management Console." The setting "restrict the users to the explicitly permitted list of snap-ins" allows you to prevent admins from loading administrative tools in an MMC (Microsoft Management Console). The item "Restricted/Permitted snap-ins"' folder lists the tools for you to check. You can easily check those that cannot be used to modify group policy. Your admins can thus manage the items they need to, but cannot open group policy MMCs. You can further restrict junior admins by creating custom MMC consoles for tasks you want them to do, and then also set the "Restrict the user from entering author mode if applicable" setting in the GPO. This setting prevents users from creating MMC consoles and adding tools that they wish to use.

  • Modify permissions. This is a more complex undertaking. Two approaches are possible. In either, you start by creating a special group for junior admins and including their accounts. Then you must either remove them from the domain admins group, and give this new group the administrative access they need, or leave the admins in the domain admins group and use the "deny" permission on object access in Active Directory to prevent them from doing the things that you don't want them to do. One possibility here might be to deny them the right to work with GPO links. As you know, a GPO is created and linked to a site, domain or OU container. If an admin does not have the ability to link a GPO, he effectively cannot not create them. You then must set permissions on existing GPOs to prevent junior admins from changing them.

In either case don't forget to create written polices that specify what the junior admins can do and cannot do. Include the penalty for attempting or doing the things they shouldn't. Make all aware of these restrictions. You can enforce the policy using the methods described above (don't forget to test your solution) but ultimately, if a way can be found around it, sooner or later someone will. If the policy is clear, and you monitor their activity, then you can better deal with it. And, I have found, that when everyone knows the rules and the consequences, less people express their curiosity. Oh, I agree, traffic laws don't prevent everyone from running a red light, but they do keep most people in check. What if no one knew the rules?

This was first published in April 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: