3.1.1.6.1.2 Protected Objects
In domain d, the set S of all security principal objects o that are protected is defined as follows:
(o!objectClass = group AND attribute o!groupType & GROUP_TYPE_SECURITY_ENABLED ≠ 0) OR (o!objectClass = user)
AND either
o is a member, directly or transitively, of any group in the set:
built-in well-known group with RID = DOMAIN_ALIAS_RID_ADMINS
built-in well-known group with RID = DOMAIN_ALIAS_RID_ACCOUNT_OPS
built-in well-known group with RID = DOMAIN_ALIAS_RID_SYSTEM_OPS
built-in well-known group with RID = DOMAIN_ALIAS_RID_PRINT_OPS
built-in well-known group with RID = DOMAIN_ALIAS_RID_BACKUP_OPS
built-in well-known group with RID = DOMAIN_ALIAS_RID_REPLICATOR
account domain well-known group with RID = DOMAIN_GROUP_RID_ADMINS
account domain well-known group with RID = DOMAIN_GROUP_RID_SCHEMA_ADMINS
account domain well-known group with RID = DOMAIN_GROUP_RID_ENTERPRISE_ADMINS
OR, is one of the following well-known security principals:
of class user with RID = DOMAIN_USER_RID_ADMIN
of class user with RID = DOMAIN_USER_RID_KRBTGT
of class group with RID = DOMAIN_GROUP_RID_CONTROLLERS
of class group with RID = DOMAIN_GROUP_RID_READONLY_CONTROLLERS