Something I often recommend to my customers is keep the membership of the Enterprise Admins and Schema Admins groups empty and only populate them (temporarily) when required. The privileges assigned to these groups are obviously high and removing the members reduces the potential for costly mistakes and/or compromise.
Here’s a quick Powershell snippet that will perform the removal:
$grps = "Enterprise Admins", "Schema Admins" foreach ($grp in $grps) { Get-ADGroupMember -Identity $grp ` | %{Remove-ADGroupMember -Identity $grp -Members $_ -Confirm:$false} }
This is something that you could consider running as a scheduled task to ensure the memberships are kept clear.
I get the following error:
PS C:\Users\jmattix@extest.local\Desktop> Remove-ADGroupMember -Identity “Meeting Contacts” -Members $_ -confirm:$false
Remove-ADGroupMember : Cannot validate argument on parameter ‘Members’. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.
At line:1 char:82
+ Remove-ADGroupMember -Identity “Meeting Contacts” -Members <<<< $_ -confirm:$false
+ CategoryInfo : InvalidData: (:) [Remove-ADGroupMember], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Activ eDirectory.Management.Commands.RemoveADGroupMember
Any thoughts?
For future reference, change the Get-ADGroupMember line to:
Get-DistributionGroupMember -Identity $grp | %{Remove-DistributionGroupMember -Identity $grp -Member $_ -Confirm:$false}
So it becomes:
$grps = “Enterprise Admins”, “Schema Admins”
foreach ($grp in $grps) {
Get-DistributionGroupMember -Identity $grp | %{Remove-DistributionGroupMember -Identity $grp -Member $_ -Confirm:$false}
}
This is good advice, except for the scenario we ran into about a month ago. Somehow the entire domain admins group got wiped out, leaving no members. If it wasn’t for a user in the enterprise admins group we wouldn’t have been able to fix that. I don’t think you can change the membership of the enterprise admins group without domain admin privleges, am I right? This would be my only objection to implementing this advice.