Default Account Operators permissions on DC object

Reading Time: < 1 minute

Active Directory Documentation Team has put on the web interesting post about default permissions of Account Operators (AO) group which might be present on DC object as a result of ACLs placed earlier on computer object.


(cc) ph0t0 {loves you too}

In short words:

  • AO are being granted permissions to manage many objects in a domain, among others also computer objects
  • By default AO are being granted with Full control permissions on computer object.
  • If such computer will be promoted later to DC role these permissions last on this object
    • Effectively giving AO Full control right on this object.
  • It applies to objects created in Windows 2003 and Windows 2008 R2 based directories
  • It doesn’t apply to directory created from the scratch with Windows 2008
  • Remedy is simple: 
    • Just edit object’s ACLs and correct AO permissions to meet your organization standards.

In general I don’t like to repeat other posts but I thought that this one is interesting.