AD prohibition to add to the group. How to implement?

D

Dmitry Shumov2021-05-20 13:46:44

Active Directory

Dmitry Shumov, 2021-05-20 13:46:44

Colleagues, I want something strange, please suggest and direct.
There is a task - to create a group in AD similar to the Domain Admins group. Those. a group, well, almost, almost Domain Admins, but not quite :) I created the group, I gave out all the rights, I did delegation for it. One small detail remains - to make sure that members of the new group cannot add themselves to the Domain Admins group. I tried to do this: I

added a new group on the security tab and gave it Deny on Add/remove self as member
But it doesn't work. And I thought, is this even possible? Or was it necessary to "resettle" the Domain Admins group into a separate OU and prohibit delegation of a new group to this OU and after that already give it Deny on Add/remove self as member ?
In general help me ///

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

Maxim Grishin, 2021-05-20
@vesper-bot

It was necessary to issue a delegation to the new group not for the entire domain, but for the OU with users, and there would be no problems.

D

Dmitry, 2021-05-20
@Tabletko

There is also such a thing as restricted groups