This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 24%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Hello,
I need to create delegate administration access in Active Directory but i have some difficulties to find the best practise for this.
I've read many posts where answers advised to let Account operators group empty but i never found any explanations about the reason.
Can you explain me where is the risk with that group please ? Can someone escalade to admin account or privilege with this access ?
Thanks !
Sorry for my English ;)
Damien
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
Thank you so much for your time and support.
Best regards,
Hannah Xiong
Hello,
Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?
Thank you so much for your time and support.
Best regards,
Hannah Xiong
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Some details here on groups.
https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#active-directory-default-security-groups-by-operating-system-version
--please don't forget to Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
The idea is to reduce number of the member of group with privilege and add only users who need this high privlege .Because when a account with high privilege compromised , it can make a huge damage.
I invite you to read this article to get more details about group with high privileage in active directory:
review-and-reduce-the-number-of-accounts-in-highly-privileged-administrative-groups
----------
Please don't forget to mark helpful reply as answer
Thank you Patrick.
I've read this article before but I think I was more confused after reading it than before.
In the article, Microsoft says in the second paragraph that "Members of the Account Operators group cannot manage the Administrator user account,... Server Operators," and in the purple note that "This group is considered a service administrator group because it can modify Server Operators".
My english is certainly bad but manage and modify seems to be the same thing, right?
During my tests, I couldn't be able to change anything in Server Operators group (membership, no Security tab, group scope) when I used my delegate account member of Account Operators.
If it's the only reason, I have no clues to say it's dangerous in my situation...