Rob is technically correct, and I have modified the article to reflect this. Though we do not strictly forbid it, Symantec strongly recommends against making the VSA a member of Domain Admins, etc. The reason is that these groups have a default DENY permission on all mailboxes in the environment, which is ordained by the design of Microsoft Exchange. This will override any access the VSA is granted via other means; any customer who wants to place the VSA in one of these groups will need to modify the default permissions of the standard Microsoft-supplied AD group to remove the DENY. In addition to being more work for the EV admin, this also obviously has security implications for the other users in the group, which will find themselves no longer denied mailbox access. It also violates the principle of least privilege, as the VSA has access to all sorts of domain resources it doesn't need to do its job. Naturally we would like to avoid all this.
Ordinarily there is not really any benefit to having the VSA in one of these groups to begin with, so we find that the balance comes out easily in favor of not putting the VSA in these groups. I don't doubt that in some far-flung corner of the EV empire there exists a use case where the VSA's membership in Domain Admins is worthwhile, but it is pretty rare. Thus the strong recommendation.
