Increase number of domain admin not member of protected users

[Grujowmi]

Hello, Is it possible to increase the number of domain admins who are not in the "Protected Users" group? Clearly, guys, in a business context, there are at least two domain accounts that are not in the protected users group (for backup in case of problems). The limit of one is too restrictive.

[An-dir]

Perhaps if your only target is to have a report with 0 points. However, having at least some admin accounts wich are not in this group is still a risk you need to be aware of, even if they are only breakglass accounts. This may need to be re-evaluated at regular intervals. I am happy to receive reports of risks, as long as the countermeasures are documented.

[Grujowmi]

Perhaps if your only target is to have a report with 0 points. However, having at least some admin accounts wich are not in this group is still a risk you need to be aware of, even if they are only breakglass accounts. This may need to be re-evaluated at regular intervals. I am happy to receive reports of risks, as long as the countermeasures are documented.

Okay, let's take a concrete use case. You have a domain admin account to back up your domains with a Veeam. Veeam are not compatible with protected users, so you already have one account in the red. On top of that, you add a backup domain account. And there you go, you already have two. I'm not even mentioning the need for a backup admin account for the IT service provider. Just in case something happens to the IT department. I could also mention that scheduled tasks aren't compatible with protected users... According to the NIS2/ISO27001 standard, you should create one account per task (one Veeam/one task/one backup admin), so you're already at three accounts. We can optimize this, but it needs to be fewer than three (minimum two), not fewer than two. Looking forward to your reply.

[Grujowmi]

@An-dir Hello, i tag you because i don't know if u see my argument :)