Default Account Operators permissions on DC object

Active Directory Documentation Team has put on the web interesting post about default permissions of Account Operators (AO) group which might be present on DC object as a result of ACLs placed earlier on computer object.


(cc) ph0t0 {loves you too}

In short words:

  • AO are being granted permissions to manage many objects in a domain, among others also computer objects
  • By default AO are being granted with Full control permissions on computer object.
  • If such computer will be promoted later to DC role these permissions last on this object
    • Effectively giving AO Full control right on this object.
  • It applies to objects created in Windows 2003 and Windows 2008 R2 based directories
  • It doesn’t apply to directory created from the scratch with Windows 2008
  • Remedy is simple: 
    • Just edit object’s ACLs and correct AO permissions to meet your organization standards.

In general I don’t like to repeat other posts but I thought that this one is interesting.