Nope, we haven't delegated the rights to anyone else. We are a single forest farm that hasn't done a schema update with the current staff so I doubt they even know what the groups are for. They saw that Administrator was a member of those groups, didn't know what they were for, and said to disable them. This is the problem with SOX and similar setups, the auditors and people making decisions based on their findings are often not the people best equipped to make the decisions from a technical standpoint. Regardless I found the list of built in accounts and groups and a reference from an outside authority (article in ITPro) stating that the built in groups can not be deleted, so I think I have enough ammo to push back =)
Thanks, Andrew Fidel "joe" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 12/23/2006 01:49 PM Please respond to ActiveDir@mail.activedir.org To <ActiveDir@mail.activedir.org> cc Subject RE: [ActiveDir] Built in Security groups Yep the reference is Error Code 0x55B (1371) in winerror.h.... ERROR_SPECIAL_ACCOUNT # Cannot perform this operation on built-in accounts. An alternate reference is "isCriticalSystemObject: TRUE" Send back up to the above that they should be setting overall generic security policies and the technical people should be figuring out how to interpret them. Telling you to delete certain groups is deeper into the details than they likely should be based on this requirement. Course my response probably would have been a chuckle or two and "Yeah I'll get right on that...". ;o) The basic concept is silly. Correct me if I am wrong but I am guessing you have delegated the same rights to other groups so they feel that leaving the original groups is a security issue? Obviously this is silly on the surface and actually at any level. Any group that has the same rights represents the same security risk. I wouldn't even bother taking the schema admins group and delegated those rights to some other group I made, I don't see the point and I could visualize tools that will actually break if you did that because they may look at the token or directory to verify someone is a member of that group directly to continue on. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, December 22, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel
