Builtin Administrators Domain Group
I have a collegue that has requested we remove the Enterprise Admins and Domain Admins from the BuiltinAdministrators group. Has anyone heard or seen this done? I am under the impression that Domain Admins and Ent. Admins get their permissions to perform tasks on a Domain Controller from that group. Any help is appreciated - thanks in advance...
Software/Hardware used:
Software/Hardware used:
ASKED:
January 23, 2007 3:56 PM
UPDATED:
January 24, 2007 11:32 AM
Answer Wiki:
I am assuming you are talking about removing the Global Domain and Enterprise Admins from the Local Builtin Administrators Group on a workstation. You can do this. However, there are a lot wider system management and security concerns once this happens.
To see all answers submitted to the Answer Wiki: View Answer History.
Not the workstation. He requested to Remove the Domain Admins and the Enterprise admins from the BuiltinAdministrators group on a Domain Controller in the Builtin OU. Thanks in advance
It sounds like a foolish move and might not work. Most of the built in groups cannot be deleted or modified in such a way that you would end up breaking the system. I’ve been through tons of security papers on securing Windows and have never seen such a request in anything from NSA, CIS, or Microsoft in order to secure a Windows system.
Don
There must be a purpose for such a ‘strange’ request, and whatever it is needs to find a different solution. Even if you could find a way to remove these groups from AD, I would feel confident that you would break a great many things. I suggest you get more information and see what the problem is that your ‘colleague’ is really trying to solve.