I have a collegue that has requested we remove the Enterprise Admins and Domain Admins from the BuiltinAdministrators group. Has anyone heard or seen this done? I am under the impression that Domain Admins and Ent. Admins get their permissions to perform tasks on a Domain Controller from that group. Any help is appreciated - thanks in advance...
Not the workstation. He requested to Remove the Domain Admins and the Enterprise admins from the BuiltinAdministrators group on a Domain Controller in the Builtin OU. Thanks in advance
It sounds like a foolish move and might not work. Most of the built in groups cannot be deleted or modified in such a way that you would end up breaking the system. I've been through tons of security papers on securing Windows and have never seen such a request in anything from NSA, CIS, or Microsoft in order to secure a Windows system.
Don
There must be a purpose for such a 'strange' request, and whatever it is needs to find a different solution. Even if you could find a way to remove these groups from AD, I would feel confident that you would break a great many things. I suggest you get more information and see what the problem is that your 'colleague' is really trying to solve.
Free Guide: Managing storage for virtual environments
Complete a brief survey to get a complimentary 70-page whitepaper featuring the best methods and solutions for your virtual environment, as well as hypervisor-specific management advice from TechTarget experts. Don’t miss out on this exclusive content!
Discuss This Question: 3  Replies