Learn which Active Directory identities may have default privileges due to default security group membership.
Certain default security groups in Active Directory (on-premises) that are created
when the domain is created grant privileged status by default. Membership in privileged
security groups can be used to control access to shared resources and delegate administrative
roles. You should investigate privileged identities that do not require privileged
status to see if the identities are part of privileged groups. If possible, remove
these identities from the groups to strengthen your organization's identity posture.
The following table details default security groups that grant privileged status.
|
Group
|
Description
|
|
Account Operators
|
Can create and modify most account types
|
|
Administrators
|
Has unrestricted access to computers or domain controllers
|
|
Backup Operators
|
Can back up and restore all files on a computer regardless of protected status
|
|
Domain Admins
|
Controls access to all domain controllers and administrative accounts in a domain
|
|
Domain Controllers
|
Has access to all domain controllers in a domain
|
|
Enterprise Admins
|
Can make forest-wide modifications including the addition of child domains
|
|
Print Operators
|
Can manage, create, share, and delete printers connected to domain controllers in
the domain
|
|
Read-only Domain Controllers
|
Has read-only access to all domain controllers in a domain
|
|
Replicator
|
Can replicate file data, including system policies and logon scripts, across a domain
|
|
Schema Admins
|
Can modify the Active Directory schema
|
|
Server Operators
|
Can access and modify server configuration options on domain controllers; has no members
by default
|