Chapter 14. Security: Default groups and delegation
In a small organization, you could easily be the only administrator of your Active Directory without being overwhelmed. But imagine an organization with thousands of users—a single administrator will not be sufficient. The simple answer, used by most organizations for historical reasons, is to provide a large number of users domain-administrator-level permissions. This often leads to a situation where no one has overall responsibility for the Active Directory, so it gradually descends into a chaotic state.
Note
The reason for putting all administrators into the Domain Admins group can be traced back to Windows NT in the mid-1990s. Membership in the Domain Admins group was required to perform any administration tasks.
The better solution is to have a very small, tightly controlled number of domain administrators. Any other user who performs other administration tasks should have the relevant permissions delegated to them. This is the principle of least privilege. You provide users the permissions they need to perform their job, and no more.
Active Directory provides a number of default groups that are created at the time it is installed. The default groups are found in either the Builtin container or the Users container. The first section of this chapter teaches you about the default groups with advice on when to use them and any issues you may encounter in their use.