Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Why Consider this
Only members of the Schema Admins group can modify the schema, so accounts should only be added to this group when a change to the Schema is required and removed afterwards. This approach helps prevent a cyberattacker from compromising a Schema Admin account, which could have serious consequences.
Watch a Customer Engineer explaining the issue
Context & Best Practices
Members of the Schema Admins group are allowed to make changes to the schema. The schema is the underlying definition of all objects and attributes that make up the forest.
Membership in the Schema Admins group is not required for any purpose beyond making schema changes. Because schema changes are a relatively rare occurrence, it is recommended that the Schema Admins group remain empty except when actively making changes.
This approach helps reduce the possibility of accidental schema changes. Also, it adds a layer of security in that anyone who wants to make a schema change will first have to add themselves to the group.
Suggested Actions
Remove any members of the Schema Admins group.
Implement a process to ensure that accounts are only added to this group when there is a requirement to change the schema and that those accounts are removed afterwards.