Remove all members from the Schema Admins group unless you are actively changing the schema


You can enjoy the benefit of IT Health and On-Demand Assessments with your Premier contract by purchasing a RAP as a Service subscription. Contact your Microsoft representative for more information.

Why Consider this

Only members of the Schema Admins group can modify the schema, so accounts should only be added to this group when a change to the Schema is required and removed afterwards. This approach helps prevent an attacker from compromising a Schema Admin account, which could have serious consequences.

Watch a Customer Engineer explaining the issue

Context & Best Practices

Members of the Schema Admins group are allowed to make changes to the schema. The schema is the underlying definition of all objects and attributes that make up the forest.

Membership in the Schema Admins group is not required for any purpose beyond making schema changes. Because schema changes are a relatively rare occurrence, it is recommended that the Schema Admins group remain empty except when actively making changes.

This approach helps reduce the possibility of accidental schema changes. In addition, it adds a layer of security in that anyone who wants to make a schema change will first have to add themselves to the group.

Suggested Actions

Remove any members of the Schema Admins group.

Implement a process to ensure that accounts are only added to this group when there is a requirement to change the schema and that those accounts are removed afterwards.

For general feedback on the Resource Center or content, submit your response to UserVoice. For specific requests and content updates regarding the Services Hub, contact our Support Team to submit a case.