Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active Directory Schema Adminstrator

Posted on 2014-07-25
6
Medium Priority
?
388 Views
Last Modified: 2014-07-26
In Windows AD there is Schema Administrator. I wonder if Enterprise Admin and Domain Admin have the privileges of Schema Admin by default.
OR
We'll have to add Enterprise and Domain Admin to Schema Admins group, for the specified accounts to have the Schema Admin privileges?

Thank you
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 23

Assisted Solution

by:Radhakrishnan R
Radhakrishnan R earned 500 total points
ID: 40219482
Hi,

Regarding your question about " if Enterprise Admin and Domain Admin have the privileges of Schema Admin by default" - The answer is No. You need assign the schema admin group to the appropriate users in order get access to schema.

There is a good discussion about the privileges from EE, please have a look http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_27313423.html

Thanks
0
 
LVL 5

Assisted Solution

by:amac81
amac81 earned 500 total points
ID: 40219510
Typically I would recommend that you only add the users who need access to the schema directly, and only for the time that they need the access to complete the work they're doing and then remove them.
0
 
LVL 44

Assisted Solution

by:Amit
Amit earned 1000 total points
ID: 40220077
All these three group: Enterprise and Domain Admin to Schema Admins has different role to play. I normally prefer not to keep anyone in  Enterprise and Schema Admin group. Until you have any specific requirement, where you need account to part of these groups. Like Exchange server upgrade etc.

Schema is like a Blue print for your AD environment. Any changes made to it cannot be revert back again. Especially, if you made any custom changes manually.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:jskfan
ID: 40220813
I just installed a new Domain , with 2 DCs. I checked the membership of Administrator account, and found that it is member of Enterprise /Schema/Domain admins.
That's by default.

What I believe, is when you install a new domain, you will become Enterprise Admin, and Enterprise Admin, can manually add Schema Admin and Domain Admin to Enterprise admin group...
So , I did not do that manually, Microsoft thought it is up to the Enterprise Admin to choose if they need in the Enterprise Admin group or he can remove them.

That's my guessing
0
 
LVL 44

Accepted Solution

by:
Amit earned 1000 total points
ID: 40220966
Administrator ID by default will be part of all these groups. If you need other ID's to have same access you can add them to required group. Domain admin is enough for managing AD.
0
 

Author Closing Comment

by:jskfan
ID: 40221614
Thank you
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question