Account Operators
Last updated
Was this helpful?
Last updated
Was this helpful?
Members of this group can create and modify most types of accounts, including accounts for users, Local groups, and Global groups. Group members can log in locally to domain controllers.
Members of the Account Operators group can't manage the Administrator user account, the user accounts of administrators, or the , , , , or groups. Members of this group can't modify user rights.
By default, this built-in group has no members. The group can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings.
Well-known SID:
S-1-5-32-548.
High value groups with direct paths to domain compromise are: and . For an example of the former check or of the latter .
(if it's not a member of one of the protected groups listed above).
