Who should be in the Enterprise/Schema Admin Group?
Hi everyone,In a one forest/one domain 2003 AD structure, is it safe to take out the Administator (that's put in my default) from the Enterprise Admin group and just have Domain Administrators listed by specifiying the Domain Admin Security Group or specifiying one or two accounts that have Domain Admin access?If the domain goes south for whatever reason, I would assume there would be no more Enterpise Admin access and we would have denied ourselves access to everyting within the domain, correct?If an account is in the Enterprise Admin Group, should it also be in theSchema Admin Group?Thank you!!!~Temarias
September 5th, 2008 7:18pm
Hi,
May I know why you want to take out the Administrator from the Enterprise Admins group? If you would like to secure Active Directory, you can rename the Administrator by using Group Policy Accounts: Rename administrator account. The location of the group policy is:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
It is not necessary to add the accounts that is member of Enterprise Admins group to the Schema Admins. Only Schema Admin can update the Active Directory Schema. Enterprise Admins are the administrators of the whole forest.
For more information about Active Directory Best practices, visit the following link:
http://technet.microsoft.com/en-us/library/cc778219.aspx
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2008 9:56am