Skip to Content
0

Can we remove SAP (our user PRDadm) from AD domain admin group ?

Mar 17, 2017 at 03:25 PM

113

avatar image

Do SAP SID has to be in domain admin group for insallation and authorizaion process .

I feel kind of security issue as it has full domain admin access .

System and SAP admin roles handled by different people .

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Manuel Garcia
Mar 17, 2017 at 03:56 PM
1

Hi,

Are you sure that it was included in domain administrator group in AD during the installation of the SAP system ?

In my Netweaver systems domain user <sid>adm is only included in group SAP_<SID>_GlobalAdmin in AD and in local administrator group of the machines where the system <SID> is installed.

Best regards,

Manuel

Share
10 |10000 characters needed characters left characters exceeded
Matt Fraser
Mar 17, 2017 at 04:23 PM
0

Hi Jasam,

As Manuel says, it is not necessary (nor recommended) for your sidadm and SAPServiceSID users to be members of Domain Admins. This might have come about perhaps due to confusion from the installation instructions, which state that the user used for initial installation of your system should be a Domain Admin. That user is not supposed to be your sidadm user. However, even that is not really necessary, as long as you get some cooperation from your "real" Domain Admins in the creation of necessary AD groups and users for your systems in advance of the installation. If that is the case, then the installation user just needs to be a member of the local Administrators group on the server.

Cheers,
Matt

Share
10 |10000 characters needed characters left characters exceeded