Appendix B: Privileged Accounts and Groups in Active Directory

Appendix B: Privileged Accounts and Groups in Active Directory

"Privileged" accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems. This appendix begins by discussing rights, privileges, and permissions, followed by information about the "highest privilege" accounts and groups in Active Directory,that is, the most powerful accounts and groups.

Information is also provided about built-in and default accounts and groups in Active Directory, in addition to their rights. Although specific configuration recommendations for securing the highest privilege accounts and groups are provided as separate appendices, this appendix provides background information that helps you identify the users and groups you should focus on securing. You should do so because they can be leveraged by attackers to compromise and even destroy your Active Directory installation.

Rights, Privileges, and Permissions in Active Directory

The differences between rights, permissions, and privileges can be confusing and contradictory, even within documentation from Microsoft. This section describes some of the characteristics of each as they are used in this document. These descriptions should not be considered authoritative for other Microsoft documentation, because it may use these terms differently.

Rights and Privileges

Rights and privileges are effectively the same system-wide capabilities that are granted to security principals such as users, services, computers, or groups. In interfaces typically used by IT professionals, these are usually referred to as "rights" or "user rights," and they are often assigned by Group Policy Objects. The following screenshot shows some of the most common user rights that can be assigned to security principals (it represents the Default Domain Controllers GPO in a Windows Server 2012 domain). Some of these rights apply to Active Directory, such as the Enable computer and user accounts to be trusted for delegation user right, while other rights apply to the Windows operating system, such as Change the system time.

privileged accounts and groups

In interfaces such as the Group Policy Object Editor, all of these assignable capabilities are referred to broadly as user rights. In reality however, some user rights are programmatically referred to as rights, while others are programmatically referred to as privileges. Table B-1: User Rights and Privileges provides some of the most common assignable user rights and their programmatic constants. Although Group Policy and other interfaces refer to all of these as user rights, some are programmatically identified as rights, while others are defined as privileges.

For more information about each of the user rights listed in the following table, use the links in the table or see Threats and Countermeasures Guide: User Rights in the Threats and Vulnerabilities Mitigation guide for Windows Server 2008 R2 on the Microsoft TechNet site. For information applicable to Windows Server 2008, please see User Rights in the Threats and Vulnerabilities Mitigation documentation on the Microsoft TechNet site. As of the writing of this document, corresponding documentation for Windows Server 2012 is not yet published.

Note

For the purposes of this document, the terms "rights" and "user rights" are used to identify rights and privileges unless otherwise specified.

Table B-1: User Rights and Privileges
User Right in Group Policy Name of Constant
Access Credential Manager as a trusted caller SeTrustedCredManAccessPrivilege
Access this computer from the network SeNetworkLogonRight
Act as part of the operating system SeTcbPrivilege
Add workstations to domain SeMachineAccountPrivilege
Adjust memory quotas for a process SeIncreaseQuotaPrivilege
Allow log on locally SeInteractiveLogonRight
Allow log on through Terminal Services SeRemoteInteractiveLogonRight
Back up files and directories SeBackupPrivilege
Bypass traverse checking SeChangeNotifyPrivilege
Change the system time SeSystemtimePrivilege
Change the time zone SeTimeZonePrivilege
Create a pagefile SeCreatePagefilePrivilege
Create a token object SeCreateTokenPrivilege
Create global objects SeCreateGlobalPrivilege
Create permanent shared objects SeCreatePermanentPrivilege
Create symbolic links SeCreateSymbolicLinkPrivilege
Debug programs SeDebugPrivilege
Deny access to this computer from the network SeDenyNetworkLogonRight
Deny log on as a batch job SeDenyBatchLogonRight
Deny log on as a service SeDenyServiceLogonRight
Deny log on locally SeDenyInteractiveLogonRight
Deny log on through Terminal Services SeDenyRemoteInteractiveLogonRight
Enable computer and user accounts to be trusted for delegation SeEnableDelegationPrivilege
Force shutdown from a remote system SeRemoteShutdownPrivilege
Generate security audits SeAuditPrivilege
Impersonate a client after authentication SeImpersonatePrivilege
Increase a process working set SeIncreaseWorkingSetPrivilege
Increase scheduling priority SeIncreaseBasePriorityPrivilege
Load and unload device drivers SeLoadDriverPrivilege
Lock pages in memory SeLockMemoryPrivilege
Log on as a batch job SeBatchLogonRight
Log on as a service SeServiceLogonRight
Manage auditing and security log SeSecurityPrivilege
Modify an object label SeRelabelPrivilege
Modify firmware environment values SeSystemEnvironmentPrivilege
Perform volume maintenance tasks SeManageVolumePrivilege
Profile single process SeProfileSingleProcessPrivilege
Profile system performance SeSystemProfilePrivilege
Remove computer from docking station SeUndockPrivilege
Replace a process level token SeAssignPrimaryTokenPrivilege
Restore files and directories SeRestorePrivilege
Shut down the system SeShutdownPrivilege
Synchronize directory service data SeSyncAgentPrivilege
Take ownership of files or other objects SeTakeOwnershipPrivilege

Permissions

Permissions are access controls that are applied to securable objects such as the file system, registry, service, and Active Directory objects. Each securable object has an associated access control list (ACL), which contains access control entries (ACEs) that grant or deny security principals (users, services, computers, or groups) the ability to perform various operations on the object. For example, the ACLs for many objects in Active Directory contain ACEs that allow Authenticated Users to read general information about the objects, but do not grant them the ability to read sensitive information or to change the objects. With the exception of each domain's built-in Guest account, every security principal that logs on and is authenticated by a domain controller in an Active Directory forest or a trusted forest has the Authenticated Users Security Identifier (SID) added to its access token by default. Therefore, whether a user, service, or computer account attempts to read general properties on user objects in a domain, the read operation is successful.

If a security principal attempts to access an object for which no ACEs are defined and that contain a SID that is present in the principal's access token, the principal cannot access the object. Moreover, if an ACE in an object's ACL contains a deny entry for a SID that matches the user's access token, the "deny" ACE will generally override a conflicting "allow" ACE. For more information about access control in Windows, see Access Control on the MSDN website.

Within this document, permissions refers to capabilities that are granted or denied to security principals on securable objects. Whenever there is a conflict between a user right and a permission, the user right generally takes precedence. For example, if an object in Active Directory has been configured with an ACL that denies Administrators all read and write access to an object, a user who is a member of the domain's Administrators group will be unable to view much information about the object. However, because the Administrators group is granted the user right "Take ownership of files or other objects," the user can simply take ownership of the object in question, then rewrite the object's ACL to grant Administrators full control of the object.

It is for this reason that this document encourages you to avoid using powerful accounts and groups for day-to-day administration, rather than trying to restrict the capabilities of the accounts and groups. It is not effectively possible to stop a determined user who has access to powerful credentials from using those credentials to gain access to any securable resource.

Built-in Privileged Accounts and Groups

Active Directory is intended to facilitate delegation of administration and the principle of least privilege in assigning rights and permissions. "Regular" users who have accounts in an Active Directory domain are, by default, able to read much of what is stored in the directory, but are able to change only a very limited set of data in the directory. Users who require additional privilege can be granted membership in various privileged groups that are built into the directory so that they may perform specific tasks related to their roles, but cannot perform tasks that are not relevant to their duties.

Within Active Directory, there are three built-in groups that comprise the highest privilege groups in the directory, plus a fourth group, the Schema Admins (SA) group:

The Schema Admins (SA) group, has privileges that, if abused, can damage or destroy an entire Active Directory forest, but this group is more restricted in its capabilities than the EA, DA, and BA groups.

In addition to these four groups, there are a number of additional built-in and default accounts and groups in Active Directory, each of which is granted rights and permissions that allow specific administrative tasks to be performed. Although this appendix does not provide a thorough discussion of every built-in or default group in Active Directory, it does provide a table of the groups and accounts that you're most likely to see in your installations.

For example, if you install Microsoft Exchange Server into an Active Directory forest, additional accounts and groups may be created in the Built-in and Users containers in your domains. This appendix describes only the groups and accounts that are created in the Built-in and Users containers in Active Directory, based on native roles and features. Accounts and groups that are created by the installation of enterprise software are not included.

Enterprise Admins

The Enterprise Admins (EA) group is located in the forest root domain, and by default, it is a member of the built-in Administrators group in every domain in the forest. The Built-in Administrator account in the forest root domain is the only default member of the EA group. EAs are granted rights and permissions that allow them to affect forest-wide changes. These are changes that affect all domains in the forest, such as adding or removing domains, establishing forest trusts, or raising forest functional levels. In a properly designed and implemented delegation model, EA membership is required only when first constructing the forest or when making certain forest-wide changes such as establishing an outbound forest trust.

The EA group is located by default in the Users container in the forest root domain, and it is a universal security group, unless the forest root domain is running in Windows 2000 Server mixed mode, in which case the group is a global security group. Although some rights are granted directly to the EA group, many of this group's rights are actually inherited by the EA group because it is a member of the Administrators group in each domain in the forest. Enterprise Admins have no default rights on workstations or member servers.

Domain Admins

Each domain in a forest has its own Domain Admins (DA) group, which is a member of that domain's built-in Administrators (BA) group in addition to a member of the local Administrators group on every computer that is joined to the domain. The only default member of the DA group for a domain is the Built-in Administrator account for that domain.

DAs are all-powerful within their domains, while EAs have forest-wide privilege. In a properly designed and implemented delegation model, DA membership should be required only in "break glass" scenarios, which are situations in which an account with high levels of privilege on every computer in the domain is needed, or when certain domain wide changes must be made. Although native Active Directory delegation mechanisms do allow delegation to the extent that it is possible to use DA accounts only in emergency scenarios, constructing an effective delegation model can be time consuming, and many organizations use third-party applications to expedite the process.

The DA group is a global security group located in the Users container for the domain. There is one DA group for each domain in the forest, and the only default member of a DA group is the domain's Built-in Administrator account. Because a domain's DA group is nested in the domain's BA group and every domain-joined system's local Administrators group, DAs not only have permissions that are specifically granted to Domain Admins, but they also inherit all rights and permissions granted to the domain's Administrators group and the local Administrators group on all systems joined to the domain.

Administrators

The built-in Administrators (BA) group is a domain local group in a domain's Built-in container into which DAs and EAs are nested, and it is this group that is granted many of the direct rights and permissions in the directory and on domain controllers. However, the Administrators group for a domain does not have any privileges on member servers or on workstations. Membership in domain-joined computers' local Administrators group is where local privilege is granted; and of the groups discussed, only DAs are members of all domain-joined computers' local Administrators groups by default.

The Administrators group is a domain-local group in the domain's Built-in container. By default, every domain's BA group contains the local domain's Built-in Administrator account, the local domain's DA group, and the forest root domain's EA group. Many user rights in Active Directory and on domain controllers are granted specifically to the Administrators group, not to EAs or DAs. A domain's BA group is granted full control permissions on most directory objects, and can take ownership of directory objects. Although EA and DA groups are granted certain object-specific permissions in the forest and domains, much of the power of groups is actually "inherited" from their membership in BA groups.

Note

Although these are the default configurations of these privileged groups, a member of any one of the three groups can manipulate the directory to gain membership in any of the other groups. In some cases, it is trivial to achieve, while in others it is more difficult, but from the perspective of potential privilege, all three groups should be considered effectively equivalent.

Schema Admins

The Schema Admins (SA) group is a universal group in the forest root domain and has only that domain's Built-in Administrator account as a default member, similar to the EA group. Although membership in the SA group can allow an attacker to compromise the Active Directory schema, which is the framework for the entire Active Directory forest, SAs have few default rights and permissions beyond the schema.

You should carefully manage and monitor membership in the SA group, but in some respects, this group is "less privileged" than the three highest privileged groups described earlier because the scope of its privilege is very narrow; that is, SAs have no administrative rights anywhere other than the schema.

Additional Built-in and Default Groups in Active Directory

To facilitate delegating administration in the directory, Active Directory ships with various built-in and default groups that have been granted specific rights and permissions. These groups are described briefly in the following table.

The following table lists the built-in and default groups in Active Directory. Both sets of groups exist by default; however, built-in groups are located (by default) in the Built-in container in Active Directory, while default groups are located (by default) in the Users container in Active Directory. Groups in the Built-in container are all Domain Local groups, while groups in the Users container are a mixture of Domain Local, Global, and Universal groups, in addition to three individual user accounts (Administrator, Guest, and Krbtgt).

In addition to the highest privileged groups described earlier in this appendix, some built-in and default accounts and groups are granted elevated privileges and should also be protected and used only on secure administrative hosts. These groups and accounts can be found in the shaded rows in Table B-1: Built-in and Default Groups and Accounts in Active Directory. Because some of these groups and accounts are granted rights and permissions that can be misused to compromise Active Directory or domain controllers, they are afforded additional protections as described in Appendix C: Protected Accounts and Groups in Active Directory.

Table B-1: Built-in and Default Accounts and Groups in Active Directory
Account or Group Default Container, Group Scope and Type Description and Default User Rights
Access Control Assistance Operators (Active Directory in Windows Server 2012) Built-in container

Domain-local security group

Members of this group can remotely query authorization attributes and permissions for resources on this computer.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Account Operators Built-in container

Domain-local security group

Members can administer domain user and group accounts.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Administrator account Users container

Not a group

Built-in account for administering the domain.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Adjust memory quotas for a process

Allow log on locally

Allow log on through Remote Desktop Services

Back up files and directories

Bypass traverse checking

Change the system time

Change the time zone

Create a pagefile

Create global objects

Create symbolic links

Debug programs

Enable computer and user accounts to be trusted for delegation

Force shutdown from a remote system

Impersonate a client after authentication

Increase a process working set

Increase scheduling priority

Load and unload device drivers

Log on as a batch job

Manage auditing and security log

Modify firmware environment values

Perform volume maintenance tasks

Profile single process

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Administrators group Built-in container

Domain-local security group

Administrators have complete and unrestricted access to the domain.

Direct user rights:

Access this computer from the network

Adjust memory quotas for a process

Allow log on locally

Allow log on through Remote Desktop Services

Back up files and directories

Bypass traverse checking

Change the system time

Change the time zone

Create a pagefile

Create global objects

Create symbolic links

Debug programs

Enable computer and user accounts to be trusted for delegation

Force shutdown from a remote system

Impersonate a client after authentication

Increase scheduling priority

Load and unload device drivers

Log on as a batch job

Manage auditing and security log

Modify firmware environment values

Perform volume maintenance tasks

Profile single process

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Allowed RODC Password Replication Group Users container

Domain-local security group

Members in this group can have their passwords replicated to all read-only domain controllers in the domain.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Backup Operators Built-in container

Domain-local security group

Backup Operators can override security restrictions for the sole purpose of backing up or restoring files.

Direct user rights:

Allow log on locally

Back up files and directories

Log on as a batch job

Restore files and directories

Shut down the system

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Cert Publishers Users container

Domain-local security group

Members of this group are permitted to publish certificates to the directory.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Certificate Service DCOM Access Built-in container

Domain-local security group

If Certificate Services is installed on a domain controller (not recommended), this group grants DCOM enrollment access to Domain Users and Domain Computers.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Cloneable Domain Controllers (AD DS in Windows Server 2012AD DS) Users container

Global security group

Members of this group that are domain controllers may be cloned.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Cryptographic Operators Built-in container

Domain-local security group

Members are authorized to perform cryptographic operations.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Debugger Users This is neither a default nor a built-in group, but when present in AD DS, is cause for further investigation. The presence of a Debugger Users group indicates that debugging tools have been installed on the system at some point, whether via Visual Studio, SQL, Office, or other applications that require and support a debugging environment. This group allows remote debugging access to computers. When this group exists at the domain level, it indicates that a debugger or an application that contains a debugger has been installed on a domain controller.
Denied RODC Password Replication Group Users container

Domain-local security group

Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

DHCP Administrators Users container

Domain-local security group

Members of this group have administrative access to the DHCP Server service.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

DHCP Users Users container

Domain-local security group

Members of this group have view-only access to the DHCP Server service.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Distributed COM Users Built-in container

Domain-local security group

Members of this group are allowed to launch, activate, and use distributed COM objects on this computer.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

DnsAdmins Users container

Domain-local security group

Members of this group have administrative access to the DNS Server service.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

DnsUpdateProxy Users container

Global security group

Members of this group are DNS clients who are permitted to perform dynamic updates on behalf of clients that cannot themselves perform dynamic updates. Members of this group are typically DHCP servers.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Domain Admins Users container

Global security group

Designated administrators of the domain; Domain Admins is a member of every domain-joined computer's local Administrators group and receives rights and permissions granted to the local Administrators group, in addition to the domain's Administrators group.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Adjust memory quotas for a process

Allow log on locally

Allow log on through Remote Desktop Services

Back up files and directories

Bypass traverse checking

Change the system time

Change the time zone

Create a pagefile

Create global objects

Create symbolic links

Debug programs

Enable computer and user accounts to be trusted for delegation

Force shutdown from a remote system

Impersonate a client after authentication

Increase a process working set

Increase scheduling priority

Load and unload device drivers

Log on as a batch job

Manage auditing and security log

Modify firmware environment values

Perform volume maintenance tasks

Profile single process

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Domain Computers Users container

Global security group

All workstations and servers that are joined to the domain are by default members of this group.

Default direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Domain Controllers Users container

Global security group

All domain controllers in the domain. Note: Domain controllers are not a member of the Domain Computers group.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Domain Guests Users container

Global security group

All guests in the domain

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Domain Users Users container

Global security group

All users in the domain

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Enterprise Admins (exists only in forest root domain) Users container

Universal security group

Enterprise Admins have permissions to change forest-wide configuration settings; Enterprise Admins is a member of every domain's Administrators group and receives rights and permissions granted to that group.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Adjust memory quotas for a process

Allow log on locally

Allow log on through Remote Desktop Services

Back up files and directories

Bypass traverse checking

Change the system time

Change the time zone

Create a pagefile

Create global objects

Create symbolic links

Debug programs

Enable computer and user accounts to be trusted for delegation

Force shutdown from a remote system

Impersonate a client after authentication

Increase a process working set

Increase scheduling priority

Load and unload device drivers

Log on as a batch job

Manage auditing and security log

Modify firmware environment values

Perform volume maintenance tasks

Profile single process

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Enterprise Read-only Domain Controllers Users container

Universal security group

This group contains the accounts for all read-only domain controllers in the forest.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Event Log Readers Built-in container

Domain-local security group

Members of this group in can read the event logs on domain controllers.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Group Policy Creator Owners Users container

Global security group

Members of this group can create and modify Group Policy Objects in the domain.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Guest Users container

Not a group

This is the only account in an AD DS domain that does not have the Authenticated Users SID added to its access token. Therefore, any resources that are configured to grant access to the Authenticated Users group will not be accessible to this account. This behavior is not true of members of the Domain Guests and Guests groups, however- members of those groups do have the Authenticated Users SID added to their access tokens.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Bypass traverse checking

Increase a process working set

Guests Built-in container

Domain-local security group

Guests have the same access as members of the Users group by default, except for the Guest account, which is further restricted as described earlier.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Hyper-V Administrators (Windows Server 2012) Built-in container

Domain-local security group

Members of this group have complete and unrestricted access to all features of Hyper-V.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

IIS_IUSRS Built-in container

Domain-local security group

Built-in group used by Internet Information Services.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Incoming Forest Trust Builders (exists only in forest root domain) Built-in container

Domain-local security group

Members of this group can create incoming, one-way trusts to this forest. (Creation of outbound forest trusts is reserved for Enterprise Admins.)

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Krbtgt Users container

Not a group

The Krbtgt account is the service account for the Kerberos Key Distribution Center in the domain. This account has access to all accounts' credentials stored in Active Directory. This account is disabled by default and should never be enabled

User rights: N/A

Network Configuration Operators Built-in container

Domain-local security group

Members of this group are granted privileges that allow them to manage configuration of networking features.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Performance Log Users Built-in container

Domain-local security group

Members of this group can schedule logging of performance counters, enable trace providers, and collect event traces locally and via remote access to the computer.

Direct user rights:

Log on as a batch job

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Performance Monitor Users Built-in container

Domain-local security group

Members of this group can access performance counter data locally and remotely.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Pre-Windows 2000 Compatible Access Built-in container

Domain-local security group

This group exists for backward compatibility with operating systems prior to Windows 2000 Server, and it provides the ability for members to read user and group information in the domain.

Direct user rights:

Access this computer from the network

Bypass traverse checking

Inherited user rights:

Add workstations to domain

Increase a process working set

Print Operators Built-in container

Domain-local security group

Members of this group can administer domain printers.

Direct user rights:

Allow log on locally

Load and unload device drivers

Shut down the system

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

RAS and IAS Servers Users container

Domain-local security group

Servers in this group can read remote access properties on user accounts in the domain.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

RDS Endpoint Servers (Windows Server 2012) Built-in container

Domain-local security group

Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

RDS Management Servers (Windows Server 2012) Built-in container

Domain-local security group

Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

RDS Remote Access Servers (Windows Server 2012) Built-in container

Domain-local security group

Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Read-only Domain Controllers Users container

Global security group

This group contains all read-only domain controllers in the domain.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Remote Desktop Users Built-in container

Domain-local security group

Members of this group are granted the right to log on remotely using RDP.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Remote Management Users (Windows Server 2012) Built-in container

Domain-local security group

Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Replicator Built-in container

Domain-local security group

Supports legacy file replication in a domain.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Schema Admins (exists only in forest root domain) Users container

Universal security group

Schema admins are the only users who can make modifications to the Active Directory schema, and only if the schema is write-enabled.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Server Operators Built-in container

Domain-local security group

Members of this group can administer domain controllers.

Direct user rights:

Allow log on locally

Back up files and directories

Change the system time

Change the time zone

Force shutdown from a remote system

Restore files and directories

Shut down the system

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Terminal Server License Servers Built-in container

Domain-local security group

Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage

Default direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

Users Built-in container

Domain-local security group

Users have permissions that allow them to read many objects and attributes in Active Directory, although they cannot change most. Users are prevented from making accidental or intentional system-wide changes and can run most applications.

Direct user rights:

Increase a process working set

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Windows Authorization Access Group Built-in container

Domain-local security group

Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set

WinRMRemoteWMIUsers_ (Windows Server 2012) Users container

Domain-local security group

Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

Direct user rights: None

Inherited user rights:

Access this computer from the network

Add workstations to domain

Bypass traverse checking

Increase a process working set