How to secure Domain Admins and Enterprise Admins security groups

Introduction

Learn how to secure the Domains Admins and Enterprise Admins security groups in Active Directory and stop members of those groups logging into member servers and workstations. In this example, I show you how to use group policy to set the ‘Deny access to this computer from the network’, ‘Deny log on as a batch job’, ‘Deny log on as a service’, ‘Deny log on locally’, and ‘Deny log on through Remote Desktop Services’ options which will stop members of the Domain Admins and Enterprise Admins security groups from logging into member servers and workstations as well as running services and applications on those devices.

Video

Additional reading

Managing Local Administrator Accounts

Delegate Active Directory Permissions

Microsoft: Securing Enterprise Admins Groups in Active Directory

Microsoft: Securing Domain Admins Groups in Active Directory