Skip to content

๐Ÿ‘ฅ Groups

Effective user management in Active Directory requires the strategic utilisation of groups to maintain operational efficiency and security governance. Without groups, administrators would be required to assign permissions to individual users, creating significant administrative overhead and increasing the likelihood of configuration errors.

Groups provide a scalable solution by enabling administrators to assign permissions to collective entities rather than individual accounts. When organisational policies change, permissions can be modified at the group level rather than updating each user account individually.

Like user accounts, groups are stored within the domain database and can be identified by their SamAccountName attribute or Security Identifier (SID). The directory can be queried to enumerate groups and their respective memberships.

PS C:\Users\User> Get-ADGroup -Filter * | select SamAccountName

SamAccountName
--------------
Administrators
Users
Guests
<-- stripped output -->
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Cert Publishers
Domain Admins
Domain Users
<-- stripped output -->
Protected Users
Key Admins
Enterprise Key Admins
DnsAdmins
DnsUpdateProxy
DHCP Users
DHCP Administrators

Critical Security Groups

Active Directory implements numerous default groups with varying privilege levels. From a security perspective, certain groups present significant attack vectors due to their elevated privileges.

Administrative Groups

Domain Admins

The Domain Admins group confers administrative privileges across the entire domain. Understanding membership of this group is essential for both legitimate administration and security assessment activities.

PS C:\Users\User> Get-ADGroup "Domain Admins" -Properties members,memberof

DistinguishedName : CN=Domain Admins,CN=Users,DC=etherdrake,DC=local
GroupCategory     : Security
GroupScope        : Global
MemberOf          : {CN=Denied RODC Password Replication Group,CN=Users,DC=etherdrake,DC=local,
                    CN=Administrators,CN=Builtin,DC=etherdrake,DC=local}
Members           : {CN=Administrator,CN=Users,DC=etherdrake,DC=local}
Name              : Domain Admins
ObjectClass       : group
ObjectGUID        : ac3ac095-3ea0-4922-8130-efa99ba99afa
SamAccountName    : Domain Admins
SID               : S-1-5-21-1372086773-2238746523-2939299801-512

Enterprise Admins

The Enterprise Admins group provides administrative privileges across the entire forest. This group exists solely within the forest root domain but is automatically added to the Administrators group of all domains within the forest.

The relationship between administrative groups follows a hierarchical structure:

  • Enterprise Admins are members of Administrators groups across all domains
  • Domain Admins are members of the Administrators group within their domain and local Administrators groups on domain-joined computers

Additional High-Privilege Groups

Several other groups warrant attention due to their potential for privilege escalation:

DNSAdmins

Members of the DNSAdmins group possess the capability to execute code on Domain Controllers as the SYSTEM account through the loading of arbitrary DLLs.

Protected Users

The Protected Users group enforces enhanced security controls for high-value accounts. Members are restricted from:

  • Utilising NTLM authentication (Kerberos only)
  • Employing weak encryption types during Kerberos pre-authentication
  • Participating in unconstrained or constrained delegation
  • Renewing Kerberos Ticket Granting Tickets beyond the initial four-hour period

These restrictions mitigate common attack vectors including NTLM relay attacks and Kerberos delegation abuse.

Schema Admins

Schema Admins possess the authority to modify the Active Directory database schema, representing a critical privilege level.

Account Operators

Account Operators can modify membership of most domain groups, excluding administrative groups, though they retain the ability to modify the Server Operators group.

Backup Operators

Members can perform backup and restore operations on Domain Controllers, potentially enabling modification of critical system files.

Print Operators possess the capability to log onto Domain Controllers.

Server Operators

Server Operators can log onto Domain Controllers and manage their configuration.

Remote Desktop Users

Members can establish Remote Desktop Protocol sessions to Domain Controllers.

Group Policy Creator Owners

These individuals can modify Group Policy Objects within the domain.

Numerous additional groups are documented within Microsoft's official documentation. Furthermore, organisations often implement custom groups for specific operational requirements, which may also carry significant privileges. Third-party software installations frequently introduce additional administrative groups that require careful monitoring.

Group Scoping Mechanisms

Active Directory implements three distinct group scopes to facilitate cross-domain and cross-forest resource management:

  • Universal Groups: Can contain members from any domain within the same forest and grant permissions across the entire forest or trusted external forests. The Enterprise Admins group exemplifies this scope.

  • Global Groups: Restricted to members from the same domain but can grant permissions across domains within the same forest or trusted domains/forests. Domain Admins represents a Global group.

  • Domain Local Groups: Can include members from the local domain or any trusted domain, granting permissions exclusively within their originating domain. The Administrators group demonstrates this scope.

Additionally, domain groups and users can be assigned membership in computer local groups. For instance, the Domain Admins group is conventionally added to the local Administrators group on member servers by default.