 G'day viewers, my name is Oren Thomas. I'm a principal hybrid cloud advocate at Microsoft. In this video, I'll cover the steps for securing the Enterprise Admin's Active Directory domain services built in Security Group. This advice is based on the documentation published on learn.microsoft.com at the link in this video's description. The Enterprise Admin's group exists only in the root domain of an Active Directory forest of domains. This group is a universal group and is available in all domains in a forest. Members of this group are authorized to make forest-wide changes in Active Directory such as adding and removing child domains. By default, the only member of the group is the default administrator account for the forest root domain. This group is automatically added to the administrator's group in every domain in the forest and it provides complete access to configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Members of the default service administrator groups in the root domain can modify Enterprise Admin's membership. This group is considered a service administrator account. The Enterprise Admin group is the default owner of the configuration, schema, domain and application ADDS petitions. As mentioned, the recommended approach is limit membership of the Enterprise Admin's group to the built-in forest root domain administrator account. You can use restricted groups policy applied in the default domain policy to reset membership of the Enterprise Admin's group on a periodic basis as shown in the image on the screen. If a privileged user requires domain admins privileges in multiple domains in a forest, you should add that user's account to each domain's domain admins group rather than adding that account to the Enterprise Admin's group. You should not remove the Enterprise Admin's group from the administrator's groups in each domain because in the event of a forest disaster recovery scenario, Enterprise Admin's rights will likely be required. A previous video on this channel describes how you can protect the default built-in forest root domain administrator account and why it should only be used for deployment and disaster recovery operations. In forest environments with multiple domains, you should strongly restrict which accounts are present in the forest root domain with everyday user accounts and most privileged accounts instead being hosted in child domains. Restricting which accounts are present in the forest root domain reduces the overall ADDS attack surface. Securing the Enterprise Admin's group involves denying specific rights, limiting group membership, and configuring auditing for changes made to the group. We will cover these elements in the remainder of this video. In terms of assigning rights, you should create a group policy object linked to organizational units hosting member servers and workstation computer accounts in each domain. You should configure this group policy object so that the Enterprise Admin's group is assigned the following user rights in computer configuration, policies, window settings, security settings, local policies, user rights assignments as shown in the image on the screen. Deny access to this computer from the network. Deny lock gone as a batch job. Deny lock gone as a service. Deny lock gone locally. Deny lock gone through remote desktop services. Remember that this group policy object should not apply to domain controllers. This policy restricting rights to the Enterprise Admin's group should only apply to OUs containing member server and workstation computer accounts. Configure auditing to generate alerts if any modifications are made to the properties or membership of the Enterprise Admin's group. Alerts should be sent to the users or teams responsible for administration of active directory in addition to incident response teams in your organization. You configure auditing for changes to the Enterprise Admin's group by enabling the audit security group management audit policy in the default domain controllers GPO. Enabling this policy setting allows you to audit events generated by changes to security groups such as the following. Security group is created, changed or deleted. Member is added or removed from a security group. Group type is changed. If you configure this policy setting an audit event is generated when an attempt to change a security group is made. If you do not configure this policy setting no audit event is generated when a security group changes. The events that you are interested in that will be located in the DC security logo. Event ID 4755 a security enabled universal group was changed. Event ID 4756 a member was added to a security enabled universal group. Event ID 4757 a member was removed from a security enabled universal group. The image on the screen shows the event that occurs in the security event log on the DC when a user account named completely innocent is added to the Enterprise Admin's group when auditing of security group management is enabled. In this video you learned about steps you can take to secure the building Enterprise Admin's group that is created by default in the forest root domain in an active directory forest. The advice in this video is drawn from the article linked in the video description. Increasing the security controls applied to the Enterprise Admin's group will improve your overall ADDS security posture but will not make your systems invulnerable. Security is always a matter of balancing what can be pragmatically accomplished by administrators in day-to-day operations with an assumed breach philosophy. We are interested in hearing about your experiences as an ADDS administrator. Have you implemented any of the security controls outlined in this video in your environment? What steps do you take in your own active directory domain services environment to secure the Enterprise Admin's group? I hope you found this video useful and informative. My name is Oren Thomas you can find me at aka.ms slash oren and if you've got any questions or feedback drop a comment below.