- Active Directory Administration Cookbook
- Sander Berkouwer
- 158字
- 2021-06-24 14:42:29
Using the built-in groups
Using the built-in groups, such as Account Operators and Server Operators, is an easy and fast way to delegate administrative tasks in Active Directory. However, there are a number of things you need to be aware of:
- The built-in Account Operators group provides more permissions than are actually required in many organizations. While you might expect the members of this group to merely have permissions to reset passwords of non-admins, they can create, modify, and delete all objects, except members of the Domain Admins group, in all OUs except the Domain Controllers OU. They may not modify the group memberships for the Domain Admins group, but they may interactively sign in to Domain Controllers and have permissions to shut them down, by default.
- The built-in Server Operators group also grants permissions to interactively sign in to domain controllers. This might pose an unexpected security risk.