Restrict AD security group additons


Hello, I have been looking around for the best way to lock down an AD security group so that help desk users for instance, cannot add users to a specific AD group. So if I had a group called "secure_group" I would like to lock that down to that only domain admins and specific other users can add members to that group and prevent help desk users from adding users to that group.

All the searching I have been doing discusses "Restricted Groups" which done through Group Policy, deals with adding domain security groups or specific users to "Local Groups" on servers. But I am looking to lock down AD security groups. Any help is appreciated.

2 Replies
best response confirmed by charlie4872 (Contributor)

@charlie4872 You could just block the group Full Control on the AD security group, chosse Deny for Full Control first and then choose Allow Read. The Helpdesk can see it, but not modify it. You can add other groups too of course and grant them Full Control on the gorup.




That works. Thanks Harm_Veenstra