Yes best practice is not to use them. They have all sorts of little bits of extra access floating around in weird places, and they cause adminSDHolder to apply to accounts that probably shouldn't be covered. Do the legwork and delegate exactly what you need to groups - even better do it in logical groupings of access (e.g. reset password, account unlock, update personal info, etc.), and then you can just add people to groups when they need the access.
Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 10:47 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Theoretically, built-in groups are historical in nature (i.e., carryovers from NT4.0 and previous) and should not be used going forward. All of their capabilities are reproducible via delegation and GPOs and User Rights Assignments. But I don't think they are going anywhere. Brian Desmond may have more insight than I do on this topic. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david....@nwea.org]<mailto:[mailto:david....@nwea.org]> Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: Related to my Domain Admin thread Best practice to not add users to a builtin group? "Account Operators: By default, this built-in group has no members. It can create and manage users and groups in the domain, but it cannot manage service administrator accounts. As a best practice, do not add members to this group, and do not use it for any delegated administration". http://technet.microsoft.com/en-us/library/cc700835.aspx David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin