Skip to Content
avatar image
Former Member

Can we remove SAP (our user PRDadm) from AD domain admin group ?

Do SAP SID has to be in domain admin group for insallation and authorizaion process .

I feel kind of security issue as it has full domain admin access .

System and SAP admin roles handled by different people .

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Mar 17, 2017 at 03:56 PM


    Are you sure that it was included in domain administrator group in AD during the installation of the SAP system ?

    In my Netweaver systems domain user <sid>adm is only included in group SAP_<SID>_GlobalAdmin in AD and in local administrator group of the machines where the system <SID> is installed.

    Best regards,


    Add comment
    10|10000 characters needed characters exceeded

  • Mar 17, 2017 at 04:23 PM

    Hi Jasam,

    As Manuel says, it is not necessary (nor recommended) for your sidadm and SAPServiceSID users to be members of Domain Admins. This might have come about perhaps due to confusion from the installation instructions, which state that the user used for initial installation of your system should be a Domain Admin. That user is not supposed to be your sidadm user. However, even that is not really necessary, as long as you get some cooperation from your "real" Domain Admins in the creation of necessary AD groups and users for your systems in advance of the installation. If that is the case, then the installation user just needs to be a member of the local Administrators group on the server.


    Add comment
    10|10000 characters needed characters exceeded