5-10: Empty as Many of the Built-in Groups as Possible

Solution overview

Type of solution	Guidance
Features and tools	Protected built-in groups, adminSDHolder
Solution summary	Remove the members of built-in, protected groups.
Benefits	Gain more granular, managed control over Active Directory delegation, and prevent the user accounts that belong to protected groups from being exempted from the normal inheritance of Active Directory permissions.

Introduction

To support rapid deployment of Active Directory, Windows provides several default administrative groups with preconfigured permissions and rights in the domain. Most of those groups—including Account Operators, Backup Operators, Print Operators, and Server Operators—can be found in the Built-in OU. Wherever ...

Get Windows Administration Resource Kit: Productivity Solutions for IT Professionals now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme

5-10: Empty as Many of the Built-in Groups as Possible

Solution overview

Introduction

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly