No. Once a user becomes member of a high privileged group, there is no technical restriction. Because of this, she or him can create/change/delete any other administrator. This is the problem with big AD implementations, which did not consider a proper Delegation model (or a 3rd party tool which might provide this functionality). Restricting Privileged Users is not possible. This […]