From what you're saying here, it doesn't sound like you need to basically...
well... completely f*ck up your environment, you just need to remove the nesting of the Administrators group from the other groups.
Auditors saying that you need to delete a built-in group really need to get a clue, just to be honest. If you have to give it to them, then that shouldn't be an issue. Don't view an auditors request as a "You must do this" statement, because it isn't. They are basing their recommendations off incomplete understanding of the Windows environment, fill in the missing information and there is a really good chance that they'll go "Oh...". It really sounds like what you need is appropriate auditing to make sure that you have your sensitive group memberships monitored for membership changes. On 12/26/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Nope, we haven't delegated the rights to anyone else. We are a single forest farm that hasn't done a schema update with the current staff so I doubt they even know what the groups are for. They saw that Administrator was a member of those groups, didn't know what they were for, and said to disable them. This is the problem with SOX and similar setups, the auditors and people making decisions based on their findings are often not the people best equipped to make the decisions from a technical standpoint. Regardless I found the list of built in accounts and groups and a reference from an outside authority (article in ITPro) stating that the built in groups can not be deleted, so I think I have enough ammo to push back =) Thanks, Andrew Fidel *"joe" <[EMAIL PROTECTED]>* Sent by: [EMAIL PROTECTED] 12/23/2006 01:49 PM Please respond to [email protected] To <[email protected]> cc Subject RE: [ActiveDir] Built in Security groups Yep the reference is Error Code 0x55B (1371) in winerror.h.... ERROR_SPECIAL_ACCOUNT # Cannot perform this operation on built-in accounts. An alternate reference is "isCriticalSystemObject: TRUE" Send back up to the above that they should be setting overall generic security policies and the technical people should be figuring out how to interpret them. Telling you to delete certain groups is deeper into the details than they likely should be based on this requirement. Course my response probably would have been a chuckle or two and "Yeah I'll get right on that...". ;o) The basic concept is silly. Correct me if I am wrong but I am guessing you have delegated the same rights to other groups so they feel that leaving the original groups is a security issue? Obviously this is silly on the surface and actually at any level. Any group that has the same rights represents the same security risk. I wouldn't even bother taking the schema admins group and delegated those rights to some other group I made, I don't see the point and I could visualize tools that will actually break if you did that because they may look at the token or directory to verify someone is a member of that group directly to continue on. joe -- O'Reilly Active Directory Third Edition - * http://www.joeware.net/win/ad3e.htm* <http://www.joeware.net/win/ad3e.htm> ------------------------------ *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] Sent:* Friday, December 22, 2006 11:14 AM* To:* [EMAIL PROTECTED] Subject:* [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel
