win2k Restricted Groups

[Slim]

I need to implement a few restricted groups in my org. My question is where should I add the restricted groups within Active Directroy. For example I want to create a restricted group for Domain Admins. Should I just assign the group to the Domain Controllers OU or should I go ahead and place it at the domain level. I am wondering how this would effect workstations since there is not a local domain admin group on workstations. Has anyone had any experience with this?


Thanks!

[Qualm]

Well, in Active Directory, under the domain, in Builtin there is already a group called Administrators, and in Users there are groups called Domain Admins and Enterprise Admins ...

I believe that any user who is a member of those groups will have local admin rights on any workstation they log on from. Actually I know that is true for the Builtin group Administrators, and I believe it's true for the other two groups.

What exactly are you meaning to accomplish with "a restricted group for Domain Admins"?

- Qualm

[Slim]

By making the Domain Admins a restricted group in Active Directory it will make sure that no accounts are added or removed from this group without configuring it in Group Policy. The reason for this is because I have a help desk person who likes to add people to these groups in order to trouble shoot problems and often forgets to remove them when completed. If I make the Domain Admins a restricted group then any modifications he makes will be overwritten every 90 minutes when Group Policy is re-applied. This will also aid in defending against any attacker who tries to add a user account to a privelaged group to gain access to network resources.