"Account Ops-FC" access control entry (ACE)

Active Directory Documentation Team : Account Operators group and … | Computer Internet and Technology Articles.

Thu, 23 Apr 2009 04:16:47 GMT

PingBack from http://program.cgwebstudio.com/active-directory-documentation-team-account-operators-group-and/

Default Account Operators permissions on DC object

Tomek's DS World — Thu, 23 Apr 2009 23:42:58 GMT

Active Directory Documentation Team has put on the web interesting post about default permissions of

re: Account Operators group and AD computer accounts

JPolicelli — Sat, 02 May 2009 04:08:03 GMT

This is great info to make available to the public. I am curious why this is being made publically available 10 years after AD was released. Better late than never I guess.

I have always preached that the built-in groups should not be used. I have seen many cases where the Account Operators group has been used to exploit AD and DCs. I posted about this a while back (http://policelli.com/blog/?p=128). This lingering ACE is another reason to NOT use the built-in groups, especially the Account Operators group.