{"id":4607,"date":"2025-09-16T20:03:00","date_gmt":"2025-09-17T00:03:00","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4607"},"modified":"2026-02-27T13:20:53","modified_gmt":"2026-02-27T18:20:53","slug":"active-directory-security-tip-4-default-built-in-active-directory-groups","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4607","title":{"rendered":"Active Directory Security Tip #4: Default\/Built-In Active Directory Groups"},"content":{"rendered":"\n<p>There are several default\/built-in privileged groups that should be reviewed: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Account Operators<\/strong> &#8211; should be empty per Microsoft due to highly privileged access in AD. <\/li>\n\n\n\n<li><strong>Backup operators<\/strong> &#8211; should only contain backup service accounts to backup and restore Active Directory. <\/li>\n\n\n\n<li><strong>Cert Publishers<\/strong> &#8211; should only contain PKI related accounts (CAs &amp; related service accounts) since it can publish certificates for AD users. <\/li>\n\n\n\n<li><strong>DNSAdmins<\/strong> &#8211; typically only used when admins other than ADAs perform DNS administration. Use sparingly. * Enterprise Key Admins &#8211; have admin rights on key objects in AD. <\/li>\n\n\n\n<li><strong>Event Log Readers <\/strong>&#8211; should only include accounts that require access to Domain Controller event logs.<\/li>\n\n\n\n<li><strong>Group Policy Creator Owners<\/strong> &#8211; can modify Group Policies in the domain. Membership should be empty and rights delegated instead. <\/li>\n\n\n\n<li><strong>Print Operators<\/strong> &#8211; used only when a Domain Controller is used as a print server (which shouldn&#8217;t happen). Group has the ability to logon to Domain Controllers and install drivers which makes this group highly privileged. Group should be empty. <\/li>\n\n\n\n<li><strong>Server Operators<\/strong> &#8211; effectively local admin on Domain Controllers. Use sparingly. <\/li>\n\n\n\n<li><strong>Schema Admins<\/strong> &#8211; should be empty except when updating the AD schema. <\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/manage\/understand-security-groups\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/manage\/understand-security-groups<\/a> <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"680\" height=\"180\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/GzNrh03X0AANTqH.jpg\" alt=\"\" class=\"wp-image-4609\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/GzNrh03X0AANTqH.jpg 680w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/GzNrh03X0AANTqH-300x79.jpg 300w\" sizes=\"auto, (max-width: 680px) 100vw, 680px\" \/><\/figure>\n\n\n\n<p><br><strong>PowerShell Script leveraging the Active Directory PowerShell module:<\/strong><br> <a href=\"https:\/\/github.com\/PyroTek3\/ActiveDirectory\/blob\/main\/Get-ADBuiltInAdmins.ps1\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/PyroTek3\/ActiveDirectory\/blob\/main\/Get-ADBuiltInAdmins.ps1<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>There are several default\/built-in privileged groups that should be reviewed: https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/manage\/understand-security-groups PowerShell Script leveraging the Active Directory PowerShell module: https:\/\/github.com\/PyroTek3\/ActiveDirectory\/blob\/main\/Get-ADBuiltInAdmins.ps1<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,7,2],"tags":[1469,1475,1474],"class_list":["post-4607","post","type-post","status-publish","format-standard","hentry","category-activedirectorysecurity","category-powershell","category-technical-reference","tag-activedirectorysecuritytip","tag-builtinactivedirectorygroups","tag-defaultactivedirectorygroups","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4607","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4607"}],"version-history":[{"count":6,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4607\/revisions"}],"predecessor-version":[{"id":4966,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4607\/revisions\/4966"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4607"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4607"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4607"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}