Not putting any users in the groups is basically the same effect as removing them from an operational perspective. If you don't have a user in the group, nobody has the rights to change things that only these groups have rights to. That's probably what your mgmt wants to achieve. You'd then populate the groups on a as-needed basis to perform specific tasks.
The reason why you don't want to remove them (which you could technically) is pretty easy: these groups are there for a purpose, i.e. they have been granted specific rights in AD to perform special tasks. This includes schema mgmt and administration of the config NC. If you don't like the groups, you'd have to ACL AD to allow another group to perform the tasks - doesn't really make any sense ... /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Freitag, 22. Dezember 2006 17:14 To: [email protected] Subject: [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel
