Hi everyone,In a one forest/one domain 2003 AD structure, is it safe to take out the Administator (that's put in my default) from the Enterprise Admin group and just have Domain Administrators listed by specifiying the Domain Admin Security Group or specifiying one or two accounts that have Domain Admin access?If the domain goes south for whatever reason, I would assume there would be no more Enterpise Admin access and we would have denied ourselves access to everyting within the domain, correct?If an account is in the Enterprise Admin Group, should it also be in theSchema Admin Group?Thank you!!!~Temarias

Hi, May I know why you want to take out the Administrator from the Enterprise Admins group? If you would like to secure Active Directory, you can rename the Administrator by using Group Policy Accounts: Rename administrator account. The location of the group policy is: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options It is not necessary to add the accounts that is member of Enterprise Admins group to the Schema Admins. Only Schema Admin can update the Active Directory Schema. Enterprise Admins are the administrators of the whole forest. For more information about Active Directory Best practices, visit the following link: http://technet.microsoft.com/en-us/library/cc778219.aspx