Account Operators

Information

Members of this group can create and modify most types of accounts, including accounts for users, Local groups, and Global groups. Group members can log in locally to domain controllers.

Members of the Account Operators group can't manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group can't modify user rights.

By default, this built-in group has no members. The group can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings.

Well-known SID: S-1-5-32-548.

Exploitation

Group Assignment

# create a new domain user
net user /domain <USER> <PASS> /add
# add user to the specified domain group
Add-DomainGroupMember -Identity '<GROUP>' -Members '<USER>'
net group /domain "Exchange Windows Permissions" <USER> /add

High value groups with direct paths to domain compromise are: Exchange Windows Permissions and DnsAdmins. For an example of the former check here or of the latter here.

Password Change

Change an account's password (if it's not a member of one of the protected groups listed above).

Resources

Account Operators

Active Directory security groupsMicrosoftLearn

Privilege Escalation

Account Operators Privilege Escalation | White Oak SecurityWhite Oak Security