Administrative accounts and groups have powerful rights, privileges, and permissions to perform critical actions in Active Directory (AD), member servers, and workstations. There are four main built-in administrative groups in AD: Enterprise Admins, Domain Admins, Schema Admins, and the Administrators. Each of these groups offer varying levels of access to computers, servers, and network settings, with some providing higher privileges than others.
While the rights and permissions granted to each of these groups differ, they are all powerful. It’s normal for an enterprise to have a few members in the Administrators and Domain Admins groups to perform daily tasks, but the Enterprise Admins and Schema Admins groups should be empty.
Every domain in an IT environment has its own Domain Admins group that controls the respective domain. One of the biggest challenges most organizations face is managing Domain Admins group membership, which leaves us all wondering—how many domain admins is too many?
Membership in the Domain Admins group should be limited
Members of the Domain Admins group can manage all the workstations, servers, and domain controllers in their domain along with Active Directory and Group Policy. For most enterprises, this power should be limited to just a handful of people. Unless an admin needs to manage AD along with every computer in the domain, they don’t need to be in the Domain Admins group.
Removing members from the Domain Admins group is the first step to ensure security, followed by delegating privileges to users who need to oversee the domain. We’ll discuss privilege delegation in detail in subsequent blogs.
Here are a few other things you can do to secure privileged users:
-
Ensure that all privileged user accounts have long passwords—15 characters or more.
-
Change passwords for all users on a regular basis.
To sum it up, domain administration is typically performed by a small number of people, and membership in Domain Admins should be limited. When it comes to deciding how many employees should be in the Domain Admins group, the answer is simple: the fewer the better.
Didn’t really answer the question, did we? I’ve seen organizations with 16, 5, and 2. I would argue no one should have domain admin rights. Instead, add it when you need it, remove it when your done.