Security Memo

Search (Ctrl+K)

SearchSearch

Recent Notes

See 1423 more sorted by tag →

default security groups

created Jan 08, 2024updated Apr 16, 20242 min read

  • Domain Controllers - All domain controllers in the domain
  • Domain Guests - All domain guests
  • Domain Users - All domain users
  • Domain Computers - All workstations and servers joined to the domain
  • Domain Admins - Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs
  • Enterprise Admins - Designated administrators of the enterprise; has admin access to all domains in the forest
  • Schema Admins - Designated administrators of the schema
  • DNS Admins - DNS Administrators Group
  • Server Operators - Users in this group can administer Domain Controllers. They cannot change any administrative group memberships.
  • Backup Operators - Users in this group are allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers.
  • Account Operators - Users in this group can create or modify other accounts in the domain.
  • DNS Update Proxy - DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
  • Allowed RODC Password Replication Group - Members in this group can have their passwords replicated to all read-only domain controllers (RODC) in the domain
  • Group Policy Creator Owners - Members in this group can modify group policy for the domain
  • Denied RODC Password Replication Group - Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
  • Protected Users - Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
  • Cert Publishers - Members of this group are permitted to publish certificates to the directory
  • Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the domain
  • Enterprise Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the enterprise
  • Key Admins - Members of this group can perform administrative actions on key objects within the domain.
  • Enterprise Key Admins - Members of this group can perform administrative actions on key objects within the forest.
  • Cloneable Domain Controllers - Members of this group that are domain controllers may be cloned.
  • RAS and IAS Servers - Servers in this group can access remote access properties of users More security groups on MS docs

Graph View

Backlinks