Appendix B: Privileged Accounts and Groups in Active Directory
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012
Appendix B: Privileged Accounts and Groups in Active Directory
“Privileged” accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems. This appendix begins by discussing rights, privileges, and permissions, followed by information about the “highest privilege” accounts and groups in Active Directory,that is, the most powerful accounts and groups.
Information is also provided about built-in and default accounts and groups in Active Directory, in addition to their rights. Although specific configuration recommendations for securing the highest privilege accounts and groups are provided as separate appendices, this appendix provides background information that helps you identify the users and groups you should focus on securing. You should do so because they can be leveraged by attackers to compromise and even destroy your Active Directory installation.
Rights, Privileges, and Permissions in Active Directory
The differences between rights, permissions, and privileges can be confusing and contradictory, even within documentation from Microsoft. This section describes some of the characteristics of each as they are used in this document. These descriptions should not be considered authoritative for other Microsoft documentation, because it may use these terms differently.
Rights and Privileges
Rights and privileges are effectively the same thing—system-wide capabilities that are granted to security principals such as users, services, computers, or groups. In interfaces typically used by IT professionals, these are usually referred to as “rights” or “user rights,” and they are often assigned by Group Policy Objects. The following screenshot shows some of the most common user rights that can be assigned to security principals (it represents the Default Domain Controllers GPO in a Windows Server 2012 domain). Some of these rights apply to Active Directory, such as the Enable computer and user accounts to be trusted for delegation user right, while other rights apply to the Windows operating system, such as Change the system time.
In interfaces such as the Group Policy Object Editor, all of these assignable capabilities are referred to broadly as user rights. In reality however, some user rights are programmatically referred to as rights, while others are programmatically referred to as privileges. Table B-1: User Rights and Privileges provides some of the most common assignable user rights and their programmatic constants. Although Group Policy and other interfaces refer to all of these as user rights, some are programmatically identified as rights, while others are defined as privileges.
For more information about each of the user rights listed in the following table, use the links in the table or see Threats and Countermeasures Guide: User Rights in the Threats and Vulnerabilities Mitigation guide for Windows Server 2008 R2 on the Microsoft TechNet site. For information applicable to Windows Server 2008, please see User Rights in the Threats and Vulnerabilities Mitigation documentation on the Microsoft TechNet site. As of the writing of this document, corresponding documentation for Windows Server 2012 is not yet published.
Note
For the purposes of this document, the terms “rights” and “user rights” are used to identify rights and privileges unless otherwise specified.
Table B-1: User Rights and Privileges
User Right in Group Policy |
Name of Constant |
SeTrustedCredManAccessPrivilege |
|
SeNetworkLogonRight |
|
SeTcbPrivilege |
|
SeMachineAccountPrivilege |
|
SeIncreaseQuotaPrivilege |
|
SeInteractiveLogonRight |
|
SeRemoteInteractiveLogonRight |
|
SeBackupPrivilege |
|
SeChangeNotifyPrivilege |
|
SeSystemtimePrivilege |
|
SeTimeZonePrivilege |
|
SeCreatePagefilePrivilege |
|
SeCreateTokenPrivilege |
|
SeCreateGlobalPrivilege |
|
SeCreatePermanentPrivilege |
|
SeCreateSymbolicLinkPrivilege |
|
SeDebugPrivilege |
|
SeDenyNetworkLogonRight |
|
SeDenyBatchLogonRight |
|
SeDenyServiceLogonRight |
|
SeDenyInteractiveLogonRight |
|
SeDenyRemoteInteractiveLogonRight |
|
Enable computer and user accounts to be trusted for delegation |
SeEnableDelegationPrivilege |
SeRemoteShutdownPrivilege |
|
SeAuditPrivilege |
|
SeImpersonatePrivilege |
|
SeIncreaseWorkingSetPrivilege |
|
SeIncreaseBasePriorityPrivilege |
|
SeLoadDriverPrivilege |
|
SeLockMemoryPrivilege |
|
SeBatchLogonRight |
|
SeServiceLogonRight |
|
SeSecurityPrivilege |
|
SeRelabelPrivilege |
|
SeSystemEnvironmentPrivilege |
|
SeManageVolumePrivilege |
|
SeProfileSingleProcessPrivilege |
|
SeSystemProfilePrivilege |
|
SeUndockPrivilege |
|
SeAssignPrimaryTokenPrivilege |
|
SeRestorePrivilege |
|
SeShutdownPrivilege |
|
SeSyncAgentPrivilege |
|
SeTakeOwnershipPrivilege |
Permissions
Permissions are access controls that are applied to securable objects such as the file system, registry, service, and Active Directory objects. Each securable object has an associated access control list (ACL), which contains access control entries (ACEs) that grant or deny security principals (users, services, computers, or groups) the ability to perform various operations on the object. For example, the ACLs for many objects in Active Directory contain ACEs that allow Authenticated Users to read general information about the objects, but do not grant them the ability to read sensitive information or to change the objects.
With the exception of each domain’s built-in Guest account, every security principal that logs on and is authenticated by a domain controller in an Active Directory forest or a trusted forest has the Authenticated Users Security Identifier (SID) added to its access token by default. Therefore, whether a user, service, or computer account attempts to read general properties on user objects in a domain, the read operation is successful.
If a security principal attempts to access an object for which no ACEs are defined and that contain a SID that is present in the principal’s access token, the principal cannot access the object. Moreover, if an ACE in an object’s ACL contains a deny entry for a SID that matches the user’s access token, the “deny” ACE will generally override a conflicting “allow” ACE. For more information about access control in Windows, see Access Control on the MSDN website.
Within this document, permissions refers to capabilities that are granted or denied to security principals on securable objects. Whenever there is a conflict between a user right and a permission, the user right generally takes precedence. For example, if an object in Active Directory has been configured with an ACL that denies Administrators all read and write access to an object, a user who is a member of the domain’s Administrators group will be unable to view much information about the object. However, because the Administrators group is granted the user right “Take ownership of files or other objects,” the user can simply take ownership of the object in question, then rewrite the object’s ACL to grant Administrators full control of the object.
It is for this reason that this document encourages you to avoid using powerful accounts and groups for day-to-day administration, rather than trying to restrict the capabilities of the accounts and groups. It is not effectively possible to stop a determined user who has access to powerful credentials from using those credentials to gain access to any securable resource.
Built-in Privileged Accounts and Groups
Active Directory is intended to facilitate delegation of administration and the principle of least privilege in assigning rights and permissions. “Regular” users who have accounts in an Active Directory domain are, by default, able to read much of what is stored in the directory, but are able to change only a very limited set of data in the directory. Users who require additional privilege can be granted membership in various privileged groups that are built into the directory so that they may perform specific tasks related to their roles, but cannot perform tasks that are not relevant to their duties.
Within Active Directory, there are three built-in groups that comprise the highest privilege groups in the directory: the Enterprise Admins (EA) group, the Domain Admins (DA) group, and the built-in Administrators (BA) group.
A fourth group, the Schema Admins (SA) group, has privileges that, if abused, can damage or destroy an entire Active Directory forest, but this group is more restricted in its capabilities than the EA, DA, and BA groups.
In addition to these four groups, there are a number of additional built-in and default accounts and groups in Active Directory, each of which is granted rights and permissions that allow specific administrative tasks to be performed. Although this appendix does not provide a thorough discussion of every built-in or default group in Active Directory, it does provide a table of the groups and accounts that you’re most likely to see in your installations.
For example, if you install Microsoft Exchange Server into an Active Directory forest, additional accounts and groups may be created in the Built-in and Users containers in your domains. This appendix describes only the groups and accounts that are created in the Built-in and Users containers in Active Directory, based on native roles and features. Accounts and groups that are created by the installation of enterprise software are not included.
Enterprise Admins
The Enterprise Admins (EA) group is located in the forest root domain, and by default, it is a member of the built-in Administrators group in every domain in the forest. The Built-in Administrator account in the forest root domain is the only default member of the EA group. EAs are granted rights and permissions that allow them to affect forest-wide changes. These are changes that affect all domains in the forest, such as adding or removing domains, establishing forest trusts, or raising forest functional levels. In a properly designed and implemented delegation model, EA membership is required only when first constructing the forest or when making certain forest-wide changes such as establishing an outbound forest trust.
The EA group is located by default in the Users container in the forest root domain, and it is a universal security group, unless the forest root domain is running in Windows 2000 Server mixed mode, in which case the group is a global security group. Although some rights are granted directly to the EA group, many of this group’s rights are actually inherited by the EA group because it is a member of the Administrators group in each domain in the forest. Enterprise Admins have no default rights on workstations or member servers.
Domain Admins
Each domain in a forest has its own Domain Admins (DA) group, which is a member of that domain’s built-in Administrators (BA) group in addition to a member of the local Administrators group on every computer that is joined to the domain. The only default member of the DA group for a domain is the Built-in Administrator account for that domain.
DAs are all-powerful within their domains, while EAs have forest-wide privilege. In a properly designed and implemented delegation model, DA membership should be required only in “break glass” scenarios, which are situations in which an account with high levels of privilege on every computer in the domain is needed, or when certain domain wide changes must be made. Although native Active Directory delegation mechanisms do allow delegation to the extent that it is possible to use DA accounts only in emergency scenarios, constructing an effective delegation model can be time consuming, and many organizations use third-party applications to expedite the process.
The DA group is a global security group located in the Users container for the domain. There is one DA group for each domain in the forest, and the only default member of a DA group is the domain’s Built-in Administrator account. Because a domain’s DA group is nested in the domain’s BA group and every domain-joined system’s local Administrators group, DAs not only have permissions that are specifically granted to Domain Admins, but they also inherit all rights and permissions granted to the domain’s Administrators group and the local Administrators group on all systems joined to the domain.
Administrators
The built-in Administrators (BA) group is a domain local group in a domain’s Built-in container into which DAs and EAs are nested, and it is this group that is granted many of the direct rights and permissions in the directory and on domain controllers. However, the Administrators group for a domain does not have any privileges on member servers or on workstations. Membership in domain-joined computers’ local Administrators group is where local privilege is granted; and of the groups discussed, only DAs are members of all domain-joined computers’ local Administrators groups by default.
The Administrators group is a domain-local group in the domain’s Built-in container. By default, every domain’s BA group contains the local domain’s Built-in Administrator account, the local domain’s DA group, and the forest root domain’s EA group. Many user rights in Active Directory and on domain controllers are granted specifically to the Administrators group, not to EAs or DAs. A domain’s BA group is granted full control permissions on most directory objects, and can take ownership of directory objects. Although EA and DA groups are granted certain object-specific permissions in the forest and domains, much of the power of groups is actually “inherited” from their membership in BA groups.
Note
Although these are the default configurations of these privileged groups, a member of any one of the three groups can manipulate the directory to gain membership in any of the other groups. In some cases, it is trivial to achieve, while in others it is more difficult, but from the perspective of potential privilege, all three groups should be considered effectively equivalent.
Schema Admins
The Schema Admins (SA) group is a universal group in the forest root domain and has only that domain’s Built-in Administrator account as a default member, similar to the EA group. Although membership in the SA group can allow an attacker to compromise the Active Directory schema, which is the framework for the entire Active Directory forest, SAs have few default rights and permissions beyond the schema.
You should carefully manage and monitor membership in the SA group, but in some respects, this group is “less privileged” than the three highest privileged groups described earlier because the scope of its privilege is very narrow; that is, SAs have no administrative rights anywhere other than the schema.
Additional Built-in and Default Groups in Active Directory
To facilitate delegating administration in the directory, Active Directory ships with various built-in and default groups that have been granted specific rights and permissions. These groups are described briefly in the following table.
The following table lists the built-in and default groups in Active Directory. Both sets of groups exist by default; however, built-in groups are located (by default) in the Built-in container in Active Directory, while default groups are located (by default) in the Users container in Active Directory. Groups in the Built-in container are all Domain Local groups, while groups in the Users container are a mixture of Domain Local, Global, and Universal groups, in addition to three individual user accounts (Administrator, Guest, and Krbtgt).
In addition to the highest privileged groups described earlier in this appendix, some built-in and default accounts and groups are granted elevated privileges and should also be protected and used only on secure administrative hosts. These groups and accounts can be found in the shaded rows in Table B-1: Built-in and Default Groups and Accounts in Active Directory. Because some of these groups and accounts are granted rights and permissions that can be misused to compromise Active Directory or domain controllers, they are afforded additional protections as described in Appendix C: Protected Accounts and Groups in Active Directory.
Table B-1: Built-in and Default Accounts and Groups in Active Directory
Account or Group |
Default Container, Group Scope and Type |
Description and Default User Rights |
Access Control Assistance Operators (Active Directory in Windows Server 2012) |
Built-in container Domain-local security group |
Members of this group can remotely query authorization attributes and permissions for resources on this computer. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Account Operators |
Built-in container Domain-local security group |
Members can administer domain user and group accounts. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Administrator account |
Users container Not a group |
Built-in account for administering the domain. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Adjust memory quotas for a process Allow log on locally Allow log on through Remote Desktop Services Back up files and directories Bypass traverse checking Change the system time Change the time zone Create a pagefile Create global objects Create symbolic links Debug programs Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Impersonate a client after authentication Increase a process working set Increase scheduling priority Load and unload device drivers Log on as a batch job Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects |
Administrators group |
Built-in container Domain-local security group |
Administrators have complete and unrestricted access to the domain. Direct user rights: Access this computer from the network Adjust memory quotas for a process Allow log on locally Allow log on through Remote Desktop Services Back up files and directories Bypass traverse checking Change the system time Change the time zone Create a pagefile Create global objects Create symbolic links Debug programs Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Log on as a batch job Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Allowed RODC Password Replication Group |
Users container Domain-local security group |
Members in this group can have their passwords replicated to all read-only domain controllers in the domain. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Backup Operators |
Built-in container Domain-local security group |
Backup Operators can override security restrictions for the sole purpose of backing up or restoring files. Direct user rights: Allow log on locally Back up files and directories Log on as a batch job Restore files and directories Shut down the system Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Cert Publishers |
Users container Domain-local security group |
Members of this group are permitted to publish certificates to the directory. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Certificate Service DCOM Access |
Built-in container Domain-local security group |
If Certificate Services is installed on a domain controller (not recommended), this group grants DCOM enrollment access to Domain Users and Domain Computers. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Cloneable Domain Controllers (AD DS in Windows Server 2012AD DS) |
Users container Global security group |
Members of this group that are domain controllers may be cloned. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Cryptographic Operators |
Built-in container Domain-local security group |
Members are authorized to perform cryptographic operations. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Debugger Users |
This is neither a default nor a built-in group, but when present in AD DS, is cause for further investigation. |
The presence of a Debugger Users group indicates that debugging tools have been installed on the system at some point, whether via Visual Studio, SQL, Office, or other applications that require and support a debugging environment. This group allows remote debugging access to computers. When this group exists at the domain level, it indicates that a debugger or an application that contains a debugger has been installed on a domain controller. |
Denied RODC Password Replication Group |
Users container Domain-local security group |
Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
DHCP Administrators |
Users container Domain-local security group |
Members of this group have administrative access to the DHCP Server service. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
DHCP Users |
Users container Domain-local security group |
Members of this group have view-only access to the DHCP Server service. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Distributed COM Users |
Built-in container Domain-local security group |
Members of this group are allowed to launch, activate, and use distributed COM objects on this computer. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
DnsAdmins |
Users container Domain-local security group |
Members of this group have administrative access to the DNS Server service. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
DnsUpdateProxy |
Users container Global security group |
Members of this group are DNS clients who are permitted to perform dynamic updates on behalf of clients that cannot themselves perform dynamic updates. Members of this group are typically DHCP servers. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Domain Admins |
Users container Global security group |
Designated administrators of the domain; Domain Admins is a member of every domain-joined computer’s local Administrators group and receives rights and permissions granted to the local Administrators group, in addition to the domain’s Administrators group. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Adjust memory quotas for a process Allow log on locally Allow log on through Remote Desktop Services Back up files and directories Bypass traverse checking Change the system time Change the time zone Create a pagefile Create global objects Create symbolic links Debug programs Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Impersonate a client after authentication Increase a process working set Increase scheduling priority Load and unload device drivers Log on as a batch job Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects |
Domain Computers |
Users container Global security group |
All workstations and servers that are joined to the domain are by default members of this group. Default direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Domain Controllers |
Users container Global security group |
All domain controllers in the domain. Note: Domain controllers are not a member of the Domain Computers group. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Domain Guests |
Users container Global security group |
All guests in the domain Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Domain Users |
Users container Global security group |
All users in the domain Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Enterprise Admins (exists only in forest root domain) |
Users container Universal security group |
Enterprise Admins have permissions to change forest-wide configuration settings; Enterprise Admins is a member of every domain’s Administrators group and receives rights and permissions granted to that group. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Adjust memory quotas for a process Allow log on locally Allow log on through Remote Desktop Services Back up files and directories Bypass traverse checking Change the system time Change the time zone Create a pagefile Create global objects Create symbolic links Debug programs Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Impersonate a client after authentication Increase a process working set Increase scheduling priority Load and unload device drivers Log on as a batch job Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects |
Enterprise Read-only Domain Controllers |
Users container Universal security group |
This group contains the accounts for all read-only domain controllers in the forest. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Event Log Readers |
Built-in container Domain-local security group |
Members of this group in can read the event logs on domain controllers. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Group Policy Creator Owners |
Users container Global security group |
Members of this group can create and modify Group Policy Objects in the domain. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Guest |
Users container Not a group |
This is the only account in an AD DS domain that does not have the Authenticated Users SID added to its access token. Therefore, any resources that are configured to grant access to the Authenticated Users group will not be accessible to this account. This behavior is not true of members of the Domain Guests and Guests groups, however- members of those groups do have the Authenticated Users SID added to their access tokens. Direct user rights: None Inherited user rights: Access this computer from the network Bypass traverse checking Increase a process working set |
Guests |
Built-in container Domain-local security group |
Guests have the same access as members of the Users group by default, except for the Guest account, which is further restricted as described earlier. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Hyper-V Administrators (Windows Server 2012) |
Built-in container Domain-local security group |
Members of this group have complete and unrestricted access to all features of Hyper-V. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
IIS_IUSRS |
Built-in container Domain-local security group |
Built-in group used by Internet Information Services. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Incoming Forest Trust Builders (exists only in forest root domain) |
Built-in container Domain-local security group |
Members of this group can create incoming, one-way trusts to this forest. (Creation of outbound forest trusts is reserved for Enterprise Admins.) Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Krbtgt |
Users container Not a group |
The Krbtgt account is the service account for the Kerberos Key Distribution Center in the domain. This account has access to all accounts’ credentials stored in Active Directory. This account is disabled by default and should never be enabled User rights: N/A |
Network Configuration Operators |
Built-in container Domain-local security group |
Members of this group are granted privileges that allow them to manage configuration of networking features. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Performance Log Users |
Built-in container Domain-local security group |
Members of this group can schedule logging of performance counters, enable trace providers, and collect event traces locally and via remote access to the computer. Direct user rights: Log on as a batch job Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Performance Monitor Users |
Built-in container Domain-local security group |
Members of this group can access performance counter data locally and remotely. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Pre-Windows 2000 Compatible Access |
Built-in container Domain-local security group |
This group exists for backward compatibility with operating systems prior to Windows 2000 Server, and it provides the ability for members to read user and group information in the domain. Direct user rights: Access this computer from the network Bypass traverse checking Inherited user rights: Add workstations to domain Increase a process working set |
Print Operators |
Built-in container Domain-local security group |
Members of this group can administer domain printers. Direct user rights: Allow log on locally Load and unload device drivers Shut down the system Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
RAS and IAS Servers |
Users container Domain-local security group |
Servers in this group can read remote access properties on user accounts in the domain. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
RDS Endpoint Servers (Windows Server 2012) |
Built-in container Domain-local security group |
Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
RDS Management Servers (Windows Server 2012) |
Built-in container Domain-local security group |
Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
RDS Remote Access Servers (Windows Server 2012) |
Built-in container Domain-local security group |
Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Read-only Domain Controllers |
Users container Global security group |
This group contains all read-only domain controllers in the domain. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Remote Desktop Services Users |
Built-in container Domain-local security group |
Members of this group are granted the right to log on remotely using RDP. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Remote Management Servers (Windows Server 2012) |
Built-in container Domain-local security group |
Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Replicator |
Built-in container Domain-local security group |
Supports legacy file replication in a domain. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Schema Admins (exists only in forest root domain) |
Users container Universal security group |
Schema admins are the only users who can make modifications to the Active Directory schema, and only if the schema is write-enabled. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Server Operators |
Built-in container Domain-local security group |
Members of this group can administer domain servers. Direct user rights: Allow log on locally Back up files and directories Change the system time Change the time zone Force shutdown from a remote system Restore files and directories Shut down the system Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Terminal Server License Servers |
Built-in container Domain-local security group |
Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage Default direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
Users |
Built-in container Domain-local security group |
Users have permissions that allow them to read many objects and attributes in Active Directory, although they cannot change most. Users are prevented from making accidental or intentional system-wide changes and can run most applications. Direct user rights: Increase a process working set Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking |
Windows Authorization Access Group |
Built-in container Domain-local security group |
Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |
WinRMRemoteWMIUsers_ (Windows Server 2012) |
Users container Domain-local security group |
Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set |