search

Account Operators

hashtag
Information

Members of this group can create and modify most types of accounts, including accounts for users, Local groups, and Global groups. Group members can log in locally to domain controllers.

Members of the Account Operators group can't manage the Administrator user account, the user accounts of administrators, or the Administratorsarrow-up-right, Server Operatorsarrow-up-right, Account Operatorsarrow-up-right, Backup Operatorsarrow-up-right, or Print Operatorsarrow-up-right groups. Members of this group can't modify user rights.

By default, this built-in group has no members. The group can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings.

Well-known SID: S-1-5-32-548.

hashtag
Exploitation

hashtag
Group Assignment

# create a new domain user
net user /domain <USER> <PASS> /add
# add user to the specified domain group
Add-DomainGroupMember -Identity '<GROUP>' -Members '<USER>'
net group /domain "Exchange Windows Permissions" <USER> /add

High value groups with direct paths to domain compromise are: Exchange Windows Permissions and DnsAdmins. For an example of the former check herearrow-up-right or of the latter herearrow-up-right.

hashtag
Password Change

Change an account's password (if it's not a member of one of the protected groups listed above).

hashtag
Resources

LogoActive Directory Security GroupsMicrosoftLearnchevron-right
PreviousGroupsNextBackup Operators

Last updated