Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Who really needs to be in these Security Groups?

Status
Not open for further replies.

KashMarsh

Technical User
Jun 6, 2007
13
US
Domain Admins
Domain Controllers
Enterprise Admins
Schema Admins
SMSMSE Admins
Group Policy Creater Owner
and the local machine's administrator group (that would be the Primary Domain Controller, by the way)

Reason why I am asking is that we are having a lot of security issues and backup issues where Veritas (aka Symantec) is not backing up some users folders/files even tough the top folder is checked to backup. Verita's login id was included in all the above groups. Is this necessary for Veritas to run properly? (Version 12)

Also, if we have one user who is the admnistrator, why does his user ID need to be in all of the above groups as well? He is already in the Domain Admins group-isn't that enough to perform all system administrator functions? If not, why not? We do not have enterprise version of Microsoft Server. (Standard 2003)

Thanks so much in advance.
 
Hi,

Your Domain admin administers the domain. The domain controller is the machine running the server software that the pcs log in to/through. Enterprise admin administers the enterprise (lots of domains thrown together in a joint venture/enterprise) therefore that administrator needs more privilege than just a domain admin. The schema (rules and regulations of how the domain/enterprise is structured) is a top-level area and needs an admininstrator with top-level privileges, again more than just a domain admin.

The local administrator can only affect that particular machine ie has no domain/enterprise/schema privileges.

The GPO owner/creator is a "sub-level administrator" (there are many here to whom I should apologise for the over-simplification) who can only affect the particular policy object that they have created. They can be over-ridden by an administrator.

SMSMSE Admins I am not sure of.Something to do with Systems Management Server I guess.

Hope this helps.


DDIRR
Diagnose,Discover,Investigate,Repair,Replace

 
SMSMSE Admins is for Symantec Mail Security for Microsoft Exchange.

Best practices are for the least amount of users in any of those groups as possible. In nearly all environments I design, there are not specific user accounts in those groups. Just the defaults.

Pat Richard
Microsoft Exchange MVP
Contributing author Microsoft Exchange Server 2007: The Complete Reference
 
For your backups, your top level folder may be ticked for backup but unless the folder security is correct, your Veritas backup account may not be able to access the folder(s) even if the account is a member of the security groups you mention.

It may be worth checking a folder that does not get backed up to ensure Domain Admins is in the folder security.

--------------------------------------
"Insert funny comment in here!"
--------------------------------------
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top