"Account Ops-FC" access control entry (ACE)

Account Operators is a default groups located in the Builtin container. Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Therefore, the Account Operators group has significant power in the domain and we recommend that you add members to it with caution. 

 

On computers running Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2, by default, a newly created computer account is assigned an "Account Ops-FC" access control entry (ACE) that gives members of the Account Operators group full control over the computer account. If a server that is represented by this computer account is promoted to a domain controller, the computer account retains this "Account Ops-FC" ACE and therefore, members of the Account Operators group will have full control on this domain controller, which is not a recommended configuration.

 

The "Account Ops-FC" ACE is also assigned by default to domain controllers that you promote by running dcpromo.exe on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 machines and joining them to an existing Active Directory domain.

 

To modify permissions for Account Operators on such computer accounts and domain controller accounts, you can use the Active Directory Administrative Center (in Windows Server 2008 R2) or Active Directory Users and Computers (in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2) and complete the following steps:

1. Right-click the computer account that represents the server that you want to promote to a domain controller status (or the affected domain controller account), and then click Properties.
2. On the Security tab, (in the Active Directory Administrative Center, locate the Security tab in the Extensions section of the Properties window), select Account Operators in the Group or user names list, and then modify permissions according to the specifications of your environment.

This posting is provided "AS IS" with no warranties, and confers no rights.

Comments

• Anonymous
  January 01, 2003
  Active Directory Documentation Team has put on the web interesting post about default permissions of

• Anonymous
  January 01, 2003
  PingBack from http://program.cgwebstudio.com/active-directory-documentation-team-account-operators-group-and/

• Anonymous
  January 01, 2003
  This is great info to make available to the public. I am curious why this is being made publically available 10 years after AD was released. Better late than never I guess. I have always preached that the built-in groups should not be used. I have seen many cases where the Account Operators group has been used to exploit AD and DCs. I posted about this a while back (http://policelli.com/blog/?p=128). This lingering ACE is another reason to NOT use the built-in groups, especially the Account Operators group.

• Anonymous
  January 23, 2013
  On 2008 R2 Account Operators cannot shutdown a DC