# Account Operators

## Information

**Members of this group can create and modify most types of accounts**, including accounts for users, Local groups, and Global groups. Group members can log in locally to domain controllers.

Members of the Account Operators group can't manage the Administrator user account, the user accounts of administrators, or the [Administrators](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#administrators), [Server Operators](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#server-operators), [Account Operators](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#account-operators), [Backup Operators](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#backup-operators), or [Print Operators](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#print-operators) groups. Members of this group **can't modify user rights**.

**By default, this built-in group has no members**. The group can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings.

> Well-known SID: `S-1-5-32-548`.

## Exploitation

### Group Assignment

```powershell
# create a new domain user
net user /domain <USER> <PASS> /add
# add user to the specified domain group
Add-DomainGroupMember -Identity '<GROUP>' -Members '<USER>'
net group /domain "Exchange Windows Permissions" <USER> /add
```

High value groups with direct paths to domain compromise are: [Exchange Windows Permissions](https://x7331.gitbook.io/boxes/tl-dr/active-directory/groups/exchange-windows-permissions) and [DnsAdmins](https://x7331.gitbook.io/boxes/tl-dr/active-directory/groups/dnsadmins). For an example of the former check [here](https://x7331.gitbook.io/boxes/boxes/boxes/easy/forest#sniffing-out-an-attack-path) or of the latter [here](https://x7331.gitbook.io/boxes/boxes/boxes/medium/resolute#elevation-of-privileges).

### Password Change

[Change an account's password](https://x7331.gitbook.io/boxes/tl-dr/active-directory/permissions/forcechangepassword) (if it's not a member of one of the protected groups listed above).

## Resources

{% tabs %}
{% tab title="Account Operators" %}
{% embed url="<https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#account-operators>" %}
{% endtab %}

{% tab title="Privilege Escalation" %}
{% embed url="<https://www.whiteoaksecurity.com/blog/account-operators-privilege-escalation/>" %}
{% endtab %}
{% endtabs %}