I use a Group Policy setting to ensure certain users or groups are always administrators on every machine I add to my test domain. This is a reminder to myself how I do this.
Open the GP Editor and navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups.
- Right-click and select Add Group.
- Browse to the appropriate group, select it and click OK twice.
The membership dialogue appears.
- In the This Group is a Member of: section click Add.
- Select Administrators.
The group will now be a member of the Administrators group on all computers the policy is applied to.
More info: http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx.
I recently tried to remove an OU from my Test AD came and up against this message: You do no have sufficient privileges to delete xxxx or this object is protected from accidental deletion.
To get round this I followed this procedure.
- Ensured Advanced Features was selected in AD Users and Computers.
- Selected the OU, the Properties and then Security.
- Clicked the Advanced button.
- Removed the Deny option from the Everyone group.
I was then able to delete the OU.
More info: https://technet.microsoft.com/en-us/library/cc736842(v=ws.10).aspx.