STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Active Directory Forest Security Technical Implementation Guide

V-243502

CAT II (Medium)

Membership to the Schema Admins group must be limited.

Rule ID

SV-243502r1026198_rule

STIG

Active Directory Forest Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000366

Discussion

The Schema Admins group is a privileged group in a forest root domain. Members of the Schema Admins group can make changes to the schema, which is the framework for the Active Directory forest. Changes to the schema are not frequently required. This group only contains the Built-in Administrator account by default. Additional accounts must only be added when changes to the schema are necessary and then must be removed.

Check Content

Open "Active Directory Users and Computers" on a domain controller in the forest root domain.

Navigate to the "Users" container.

Right-click on "Schema Admins" and select "Properties", and then select the "Members" tab.

If any accounts other than the built-in Administrators group are members, verify their necessity with the ISSO.

If any accounts are members of the group when schema changes are not being made, this is a finding.

Fix Text

Limit membership in the Schema Admins group to only those accounts necessary during a schema update. Remove accounts when the updates are complete. Document accounts necessary during schema updates with the ISSO.