Hmmm. OK, I'm inclined to agree, but aren't DA's and EA's governed by the same set of ACLs and ACEs applied at specific levels of AD as any other user?
IOW, can't I remove the Allow from DA to Create / Delete User Object? Right. AdminSDHolder is going to change it back on its rounds. And (though joe will come in here any minute and smack me with a large trout) if I make changes to my AdminSDHolder, (not advised) I can change the ACE/ACL in AD for the administrative contexts. In fact, because of issues with DAs that need to do their job, but simply can't be trusted to do some things without blowing of a toe or a leg, I've had to limit DA ability to modify/change/link/anything the Default Domain Policy and Default DC Policy. Overall - not advised, I agree. Create a new user/group/role for what you want these folks to really be able to do. This would be the right direction. Eviscerating the DA is not the right move, but that doesn't mean that it can't be done. -rtk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Tuesday, February 22, 2005 4:05 PM To: 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Is it possible ? deny domain admins create new us er permission Maybe you could configure auditing to see who is creating user accounts or "convert" all domain admins into normal users ;-) Preventing what you want is not possible as domain admins in a forest/domain have the ability to do everything they want Jorge _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of "Sanz de León, Juan Carlos" Sent: Thursday, July 29, 2004 4:15 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Is it possible ? deny domain admins create new user permission Dear Gurus, We are currently working on a project where we need to deny domain administrators the permission to "create new users".(and assign it to some other group) Is this technically possible ? Has anyone actually done it before ? Thanks in advance for your help, Juan Carlos Sanz This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/