How can configure "Account Operator Rights" to cannot User Account in Domain Admin Group ?

Hello,

this is the official description form Microsoft about the Account operators:

"Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution."

Personal i would not use the account operators group as they have lot's of permissions. I prefer to use an own created security group and then use "Delegate control" wizard on the OU where they should have the permission to work. See this great article from Jorge about delegating several admin tasks:

http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

Another important part of the account operators is, that this group is a protected group where AdminSDHolder comes into play, each hour the security settings will be reset automatically:

http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

Hi,
 
Just want to confirm the current situations.
 
Please feel free to let us know if you need further assistance.
 
Best Regards,
Vicky 

Hi,
 
Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.
 
Best Regards,
Vicky