Technically, he could remove those group objects from having the ability to manage whatever items. Any user members of these groups could simply 'take it back', but that requires a decent amount of knowledge.
My recommendation: Restrict those group memberships by GPO on the DC GPO. This will end up with the user list being very small and the chance that someone hacks both the group membership and goes to check and/or edit the GPO in the time that it would take before the GPO refreshes on a DC (and that change gets replicated out) to be relatively small. It's not vanishingly, but small enough to where it's a manageable risk, as opposed to a non-manageable one. The groups are there for very good reasons and some of the capabilities can't be moved to another group without some serious work (if at all). Basically, there has to be some form of 'emergency' fixing and lacking some of these groups, you'd lose that capability, which might not seem important until you need to have it, then you're in a world of hurt. On 12/22/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:
Not putting any users in the groups is basically the same effect as removing them from an operational perspective. If you don't have a user in the group, nobody has the rights to change things that only these groups have rights to. That's probably what your mgmt wants to achieve. You'd then populate the groups on a as-needed basis to perform specific tasks. The reason why you don't want to remove them (which you could technically) is pretty easy: these groups are there for a purpose, i.e. they have been granted specific rights in AD to perform special tasks. This includes schema mgmt and administration of the config NC. If you don't like the groups, you'd have to ACL AD to allow another group to perform the tasks – doesn't really make any sense ... /Guido *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Freitag, 22. Dezember 2006 17:14 *To:* [email protected] *Subject:* [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel
