Common built-in AD groups

Group Name	Description
Account Operators	Members can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers. They cannot manage the Administrator account, administrative user accounts, or members of the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups.
Administrators	Members have full and unrestricted access to a computer or an entire domain if they are in this group on a Domain Controller.
Backup Operators	Members can back up and restore all files on a computer, regardless of the permissions set on the files. Backup Operators can also log on to and shut down the computer. Members can log onto DCs locally and should be considered Domain Admins. They can make shadow copies of the SAM/NTDS database, which, if taken, can be used to extract credentials and other juicy info.
DnsAdmins	Members have access to network DNS information. The group will only be created if the DNS server role is or was at one time installed on a domain controller in the domain.
Domain Admins	Members have full access to administer the domain and are members of the local administrator's group on all domain-joined machines.
Domain Computers	Any computers created in the domain (aside from domain controllers) are added to this group.
Domain Controllers	Contains all DCs within a domain. New DCs are added to this group automatically.
Domain Guests	This group includes the domain's built-in Guest account. Members of this group have a domain profile created when signing onto a domain-joined computer as a local guest.
Domain Users	This group contains all user accounts in a domain. A new user account created in the domain is automatically added to this group.
Enterprise Admins	Membership in this group provides complete configuration access within the domain. The group only exists in the root domain of an AD forest. Members in this group are granted the ability to make forest-wide changes such as adding a child domain or creating a trust. The Administrator account for the forest root domain is the only member of this group by default.
Event Log Readers	Members can read event logs on local computers. The group is only created when a host is promoted to a domain controller.
Group Policy Creator Owners	Members create, edit, or delete Group Policy Objects in the domain.
Hyper-V Administrators	Members have complete and unrestricted access to all the features in Hyper-V. If there are virtual DCs in the domain, any virtualization admins, such as members of Hyper-V Administrators, should be considered Domain Admins.
IIS_IUSRS	This is a built-in group used by Internet Information Services (IIS), beginning with IIS 7.0.
Pre–Windows 2000 Compatible Access	This group exists for backward compatibility for computers running Windows NT 4.0 and earlier. Membership in this group is often a leftover legacy configuration. It can lead to flaws where anyone on the network can read information from AD without requiring a valid AD username and password.
Print Operators	Members can manage, create, share, and delete printers that are connected to domain controllers in the domain along with any printer objects in AD. Members are allowed to log on to DCs locally and may be used to load a malicious printer driver and escalate privileges within the domain.
Protected Users	Members of this group are provided additional protections against credential theft and tactics such as Kerberos abuse.
Read-only Domain Controllers	Contains all Read-only domain controllers in the domain.
Remote Desktop Users	This group is used to grant users and groups permission to connect to a host via Remote Desktop (RDP). This group cannot be renamed, deleted, or moved.
Remote Management Users	This group can be used to grant users remote access to computers via Windows Remote Management (WinRM)
Schema Admins	Members can modify the Active Directory schema, which is the way all objects with AD are defined. This group only exists in the root domain of an AD forest. The Administrator account for the forest root domain is the only member of this group by default.
Server Operator	This group only exists on domain controllers. Members can modify services, access SMB shares, and backup files on domain controllers. By default, this group has no members.

Group Name

Description

Account Operators

Members can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers. They cannot manage the Administrator account, administrative user accounts, or members of the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups.

Administrators

Members have full and unrestricted access to a computer or an entire domain if they are in this group on a Domain Controller.

Backup Operators

Members can back up and restore all files on a computer, regardless of the permissions set on the files. Backup Operators can also log on to and shut down the computer. Members can log onto DCs locally and should be considered Domain Admins. They can make shadow copies of the SAM/NTDS database, which, if taken, can be used to extract credentials and other juicy info.

DnsAdmins

Members have access to network DNS information. The group will only be created if the DNS server role is or was at one time installed on a domain controller in the domain.

Domain Admins

Members have full access to administer the domain and are members of the local administrator's group on all domain-joined machines.

Domain Computers

Any computers created in the domain (aside from domain controllers) are added to this group.

Domain Controllers

Contains all DCs within a domain. New DCs are added to this group automatically.

Domain Guests

This group includes the domain's built-in Guest account. Members of this group have a domain profile created when signing onto a domain-joined computer as a local guest.

Domain Users

This group contains all user accounts in a domain. A new user account created in the domain is automatically added to this group.

Enterprise Admins

Membership in this group provides complete configuration access within the domain. The group only exists in the root domain of an AD forest. Members in this group are granted the ability to make forest-wide changes such as adding a child domain or creating a trust. The Administrator account for the forest root domain is the only member of this group by default.

Event Log Readers

Members can read event logs on local computers. The group is only created when a host is promoted to a domain controller.

Group Policy Creator Owners

Members create, edit, or delete Group Policy Objects in the domain.

Hyper-V Administrators

Members have complete and unrestricted access to all the features in Hyper-V. If there are virtual DCs in the domain, any virtualization admins, such as members of Hyper-V Administrators, should be considered Domain Admins.

IIS_IUSRS

This is a built-in group used by Internet Information Services (IIS), beginning with IIS 7.0.

Pre–Windows 2000 Compatible Access

This group exists for backward compatibility for computers running Windows NT 4.0 and earlier. Membership in this group is often a leftover legacy configuration. It can lead to flaws where anyone on the network can read information from AD without requiring a valid AD username and password.

Print Operators

Members can manage, create, share, and delete printers that are connected to domain controllers in the domain along with any printer objects in AD. Members are allowed to log on to DCs locally and may be used to load a malicious printer driver and escalate privileges within the domain.

Protected Users

Members of this group are provided additional protections against credential theft and tactics such as Kerberos abuse.

Read-only Domain Controllers

Contains all Read-only domain controllers in the domain.

Remote Desktop Users

This group is used to grant users and groups permission to connect to a host via Remote Desktop (RDP). This group cannot be renamed, deleted, or moved.

Remote Management Users

This group can be used to grant users remote access to computers via Windows Remote Management (WinRM)

Schema Admins

Members can modify the Active Directory schema, which is the way all objects with AD are defined. This group only exists in the root domain of an AD forest. The Administrator account for the forest root domain is the only member of this group by default.

Server Operator

This group only exists on domain controllers. Members can modify services, access SMB shares, and backup files on domain controllers. By default, this group has no members.

PreviousTools NextIdentifying Users

Last updated 1 year ago