# Builtin Groups ## Theory > In the Windows Server operating system, there are several built-in accounts and security groups that are preconfigured with the appropriate rights and permissions to perform specific tasks. ([Microsoft](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255\(v=ws.11\)?redirectedfrom=MSDN)) There are scenarios where testers can obtain full control over members of built-in security groups. The usual targets are members of the "Administrators", "Domain Admins" or "Entreprise Admins" groups, however, other groups can sometimes lead to major privileges escalation. ## Practice Below is a table summing up some groups' rights and abuse paths. | Security Group | Rights and abuses | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Account Operators |

its members can create and manage users and groups, including its own membership and that of the Server Operators group (e.g. add a member to a group)

its members can also be used to help abuse user accounts with unconstrained delegations since Account Operators can edit users SPNs.

"This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved." (docs.microsoft.com)

🔥 at the time of writing (12th, April 2021) members can sometimes also escalate through the "Enterprise Key Admins" group and obtain full control over the root domain (read the ADPREP bug).

| | Administrators | full admin rights to the Active Directory domain and Domain Controllers | | Backup Operators |

can backup or restore Active Directory and have logon rights to Domain Controllers

🔥 its members can remotely backup the necessary registry hives to dump SAM & LSA secrets and then conduct a DCSync

| | Server Operators | its members can sign-in to a server, start and stop services, access domain controllers, perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers | | DnsAdmins |

can read, write, create, delete DNS records (e.g. edit the wildcard record if it already exists). Its members can also run code via DLL on a Domain Controller operating as a DNS server (CVE-2021-40469).
See this page.

| | Domain Admins | full admin rights to the Active Directory domain, all computers, workstations, servers, users and so on | | Enterprise Admins | full admin rights to all Active Directory domains in the AD forest | | Schema Admins | modify the schema structure of the Active Directory. Only the objects created **after** the modification are affected. | | Group Policy Creators Owners | create Group Policies in the domain. Its members can't apply group policies to users or group or edit existing GPOs | | Cert Publishers | its members usually are the servers where [AD CS](https://red.infiltr8.io/ad/movement/domain-settings/broken-reference) is installed | | AD Recycle Bin |

its members have permissions to read deleted AD object. Juicy information can be found in there.
See this page.

| ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %}