# Security groups ### Theory > In the Windows Server operating system, there are several built-in accounts and security groups that are preconfigured with the appropriate rights and permissions to perform specific tasks. ([Microsoft](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255\(v=ws.11\)?redirectedfrom=MSDN)) There are scenarios where testers can obtain full control over members of built-in security groups. The usual targets are members of the "Administrators", "Domain Admins" or "Entreprise Admins" groups, however, other groups can sometimes lead to major privileges escalation. ### Practice Below is a table summing up some groups' rights and abuse paths. | Security Group | Rights and abuses | | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Account Operators** |

its members can create and manage users and groups, including its own membership and that of the Server Operators group (e.g. add a member to a group)

its members can also be used to help abuse user accounts with unconstrained delegations since Account Operators can edit users SPNs.

"This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved." (docs.microsoft.com)

🔥 members can sometimes also escalate through the "Enterprise Key Admins" group and obtain full control over the root domain (read the ADPREP bug).

| | **Administrators** | full admin rights to the Active Directory domain and Domain Controllers | | **Backup Operators** |

can backup or restore Active Directory and have logon rights to Domain Controllers

🔥 its members can remotely backup the necessary registry hives to dump SAM & LSA secrets and then conduct a DCSync

| | **Server Operators** | its members can sign-in to a server, start and stop services, access domain controllers, perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers | | **DnsAdmins** | can read, write, create, delete DNS records (e.g. edit the [wildcard record](https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/adidns-spoofing#manual-record-manipulation) if it already exists). Its members can also [run code via DLL on a Domain Controller operating as a DNS server](https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83) ([CVE-2021-40469](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40469)). | | **Domain Admins** | full admin rights to the Active Directory domain, all computers, workstations, servers, users and so on | | **Enterprise Admins** | full admin rights to all Active Directory domains in the AD forest | | **Schema Admins** | modify the schema structure of the Active Directory. Only the objects created **after** the modification are affected. | | **Group Policy Creators Owners** | create Group Policies in the domain. Its members can't apply group policies to users or group or edit existing GPOs | | **Cert Publishers** | its members usually are the servers where [AD CS](https://www.thehacker.recipes/ad/movement/ad-cs) is installed |