Membership to the Schema Admins group must be limited.
An XCCDF Rule
Description
The Schema Admins group is a privileged group in a forest root domain. Members of the Schema Admins group can make changes to the schema, which is the framework for the Active Directory forest. Changes to the schema are not frequently required. This group only contains the Built-in Administrator account by default. Additional accounts must only be added when changes to the schema are necessary and then must be removed.
- ID
- SV-243502r1026198_rule
- Version
- AD.0017
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Limit membership in the Schema Admins group to only those accounts necessary during a schema update. Remove accounts when the updates are complete. Document accounts necessary during schema updates with the ISSO.