{"id":272,"date":"2014-02-15T15:17:24","date_gmt":"2014-02-15T20:17:24","guid":{"rendered":"http:\/\/adsecurity.org\/?p=272"},"modified":"2015-03-14T20:11:16","modified_gmt":"2015-03-15T00:11:16","slug":"active-directory-security-group-resources","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=272","title":{"rendered":"Active Directory Security Group Resources"},"content":{"rendered":"<p><a href=\"http:\/\/blogs.technet.com\/b\/lrobins\/?Redirected=true\">Laura Robinson (Microsoft)<\/a> has 2 posts which are excellent resources when working on your Active Directory delegation model. These posts focus on the concept of an \u201cAdmin-Free Active Directory\u201d meaning that there are no accounts in the powerful AD groups: Enterprise Admins, Domain Admins, Administrators, &amp; Schema Admins.<\/p>\n<p>The posts also list all of the groups that, by default, have the rights to log onto Domain Controllers. These groups need to be tightly controlled and monitored.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/02\/Default-DC-LogOnLocallyGroups.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-720\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/02\/Default-DC-LogOnLocallyGroups.png\" alt=\"Default-DC-LogOnLocallyGroups\" width=\"447\" height=\"339\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/02\/Default-DC-LogOnLocallyGroups.png 667w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/02\/Default-DC-LogOnLocallyGroups-300x227.png 300w\" sizes=\"auto, (max-width: 447px) 100vw, 447px\" \/><\/a><br \/>\nThese groups are listed here:<\/p>\n<ul>\n<li>Enterprise Admins (member of the domain Administrators group in every domain in the forest)<\/li>\n<li>Domain Admins (member of the domain Administrators group)<\/li>\n<li>Administrators<\/li>\n<li>Backup Operators<\/li>\n<li><strong>Account Operators<\/strong><\/li>\n<li><strong>Print Operators<\/strong><\/li>\n<\/ul>\n<p>The last two groups on this list may surprise you. If so, you may want to audit membership in these groups since accounts in any of these groups have<em> log on locally rights to the Domain Controllers<\/em> in the domain.<\/p>\n<p>Laura\u2019s Blog Posts:<br \/>\n<a href=\"https:\/\/blogs.technet.com\/b\/lrobins\/archive\/2011\/06\/23\/quot-admin-free-quot-active-directory-part-2-protected-accounts-and-groups-in-active-directory.aspx?Redirected=true\">Part 1- Understanding Privileged Groups in AD<br \/>\nPart 2- Protected Accounts and Groups in Active Directory<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Laura Robinson (Microsoft) has 2 posts which are excellent resources when working on your Active Directory delegation model. These posts focus on the concept of an \u201cAdmin-Free Active Directory\u201d meaning that there are no accounts in the powerful AD groups: Enterprise Admins, Domain Admins, Administrators, &amp; Schema Admins. The posts also list all of the &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=272\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[75,97,98,99,100],"class_list":["post-272","post","type-post","status-publish","format-standard","hentry","category-microsoft-security","tag-active-directory","tag-ad-administration","tag-ad-delegation","tag-ad-rights","tag-ad-security","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=272"}],"version-history":[{"count":4,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/272\/revisions"}],"predecessor-version":[{"id":1481,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/272\/revisions\/1481"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}