by Michael Garrity, Manager of Sales and Success Engineering
Overview
When managing Active Directory (AD), help desk managers must apply the Principle of Least Privilege to maintain a secure environment. This principle involves only granting users the permissions they need to perform specific tasks, thus minimizing potential security risks.
This article provides a comprehensive overview of common security groups, their privilege levels, and the tasks they can perform, with a focus on implementing least privilege. CyberQP Partners can use this information to inform their Privileged Access Management policies.
Understanding Privilege Levels in Active Directory
Before we proceed, you should understand what privileges look like in Active Directory. Here’s a quick refresher:
1. Less Privileged: These roles have limited access and permissions. They can perform specific tasks without broader administrative capabilities, reducing the risk of unintended changes or security breaches.
2. Privileged: Privileged roles have broader permissions but do not encompass full administrative control. They are typically assigned to users who need additional access beyond standard roles but still require some level of restriction.
3. Highly Privileged: Highly privileged roles have extensive administrative capabilities, including full control over AD and its resources. These roles should be assigned with caution, as they carry significant responsibility and risk.
Top 15 Active Directory Security Groups
Here are the 15 most common Active Directory security groups, organized by privilege level and what each group does:
| Security Group | Privilege Level | Description | Tasks |
| Account Operators | Less Privileged | Manages user and group accounts. | Create, modify, delete user and group accounts; reset passwords. |
| Administrators | Highly Privileged | Full control over the domain and its resources. | Full administrative rights, manage software and hardware, configure system settings. |
| Backup Operators | Privileged | Performs backup and restore operations. | Backup and restore AD database. |
| Cert Publishers | Privileged | Manages certificate publication in Active Directory. | Issue, revoke certificates; manage PKI. |
| DNSAdmins | Privileged | Manages DNS settings and zones. | Create, modify, delete DNS records and zones. |
| Domain Admins | Highly Privileged | Full administrative rights over the domain. | Manage domain controllers, policies, and domain-wide settings. |
| Enterprise Admins | Highly Privileged | Full administrative rights across all domains in the forest. | Manage trusts, schema changes, and domain controllers across domains. |
| Group Policy Creator Owners | Privileged | Manages Group Policy Objects (GPOs) they own. | Create and manage GPOs. |
| Schema Admins | Highly Privileged | Modifies the Active Directory schema. | Modify schema, including adding attributes and classes. |
| Server Operators | Privileged | Manages server-specific tasks. | Log on locally, manage server settings, shutdown servers, and perform server-specific roles. |
| Print Operators | Less Privileged | Manages printers and print queues. | Install and configure printers and print services. |
| Account Logon Auditors | Less Privileged | Monitors logon events across the domain. | View and audit logon events for security compliance. |
| Hyper-V Administrators | Less Privileged | Manages Hyper-V settings and virtual machines. | Configure and manage virtual machines and Hyper-V settings. |
| Remote Desktop Users | Less Privileged | Allows remote access to systems. | Access systems remotely using Remote Desktop. |
| Read-Only Domain Controllers (RODCs) | Less Privileged | Holds read-only copies of the AD database. | Provides read-only access to the directory to enhance security in remote locations. |
The Top 20 Common Technician Tasks – And What You Need to Complete Them
For our readers who prefer to focus on the tasks a technician in any privileged security group may be using to apply the Principle of Least Privilege, we’ve also compiled a table of common technician tasks and the least privileged security group you’ll need to accomplish them:
| Task Description | Tasks | Least Privileged Security Group | Additional Security Groups | Examples |
| AD Site and Services Management | Create, modify, delete sites, subnets, and site links; manage site replication settings. | Domain Admins (Highly Privileged) | Enterprise Admins (Highly Privileged) | Setting up a new site for branch offices. |
| Backup and Restore Operations | Perform backups of the AD database; restore AD from backups. | Backup Operators (Privileged) | Administrators (Highly Privileged), Domain Admins (Highly Privileged) | Restoring AD from a backup after a failure. |
| Certificate Services Management | Manage public key infrastructure (PKI); issue, revoke certificates. | Cert Publishers (Privileged) | Domain Admins (Highly Privileged), Enterprise Admins (Highly Privileged) | Issuing a certificate for a new web server. |
| Computer Management | Join computers to the domain; manage computer accounts. | Account Operators (Less Privileged) | Administrators (Highly Privileged), Domain Admins (Highly Privileged) | Adding a new workstation to the domain. |
| DFS (Distributed File System) Management | Manage DFS namespaces and replication. | Server Operators (Privileged) | Domain Admins (Highly Privileged), Administrators (Highly Privileged) | Setting up a new DFS namespace for file sharing. |
| DNS Management | Create, modify, delete DNS records; manage DNS zones. | DNSAdmins (Privileged) | Domain Admins (Highly Privileged), Enterprise Admins (Highly Privileged) | Adding a new DNS record for a new service. |
| Domain Controller Management | Promote/demote domain controllers; manage domain controller policies. | Domain Admins (Highly Privileged) | Enterprise Admins (Highly Privileged) | Promoting a new server to a domain controller. |
| Event Log Management | View, clear, and manage event logs on domain controllers. | Server Operators (Privileged) | Domain Admins (Highly Privileged), Administrators (Highly Privileged) | Reviewing security logs for unauthorized access attempts. |
| File Server Management | Manage shared folders, NTFS permissions, and quotas on file servers. | Server Operators (Privileged) | Domain Admins (Highly Privileged), Administrators (Highly Privileged) | Configuring permissions for a new shared folder. |
| Group Management | Create, modify, delete security and distribution groups; manage group memberships. | Account Operators (Less Privileged) | Domain Admins (Highly Privileged), Administrators (Highly Privileged) | Adding a new user to a security group. |
| Group Policy Management | Create, modify, delete Group Policy Objects (GPOs); link GPOs to OUs or domains. | Group Policy Creator Owners (Privileged) | Domain Admins (Highly Privileged), Enterprise Admins (Highly Privileged) | Creating a new GPO for password policies. |
| Hardware Management | Install, remove, or configure hardware on domain controllers. | Server Operators (Privileged) | Domain Admins (Highly Privileged), Administrators (Highly Privileged) | Installing additional memory on a domain controller. |
| Organizational Unit (OU) Management | Create, modify, delete OUs; delegate control within OUs. | Domain Admins (Highly Privileged) | Enterprise Admins (Highly Privileged) | Creating a new OU for a department. |
| Password Policy Management | Configure domain-wide password policies; enforce account lockout settings. | Domain Admins (Highly Privileged) | Enterprise Admins (Highly Privileged) | Setting the domain password complexity requirements. |
| Printer Management | Install, configure, and manage printers and print servers. | Print Operators (Less Privileged) | Server Operators (Privileged), Domain Admins (Highly Privileged) | Adding a new network printer. |
| Replication Management | Manage AD replication; troubleshoot replication issues. | Domain Admins (Highly Privileged) | Enterprise Admins (Highly Privileged) | Troubleshooting replication delays between DCs. |
| Schema Management | Modify the Active Directory schema, including adding new attributes and classes. | Schema Admins (Highly Privileged) | Enterprise Admins (Highly Privileged) | Adding a new attribute to the AD schema. |
| Security Policy Management | Manage security policies across the domain; configure audit settings. | Domain Admins (Highly Privileged) | Enterprise Admins (Highly Privileged) | Configuring audit settings for logon events. |
| Service Account Management | Create, manage, and delete service accounts. | Account Operators (Less Privileged) | Domain Admins (Highly Privileged), Server Operators (Privileged) | Creating a new service account for an application. |
| User Management | Create, modify, delete user accounts; reset passwords; unlock accounts. | Account Operators (Less Privileged) | Domain Admins (Highly Privileged), Administrators (Highly Privileged) | Onboarding a new employee and creating their account. |
Conclusion
Applying the principle of least privilege in Active Directory is vital for ensuring a secure and efficient environment. Understanding the roles, their privilege levels, and associated tasks allows you to tailor access controls to your organization’s specific needs effectively. Use this information to help manage permissions and maintain a robust security posture.
Are you ready to see how CyberQP simplifies Active Directory and Entra ID management for help desks and MSPs like yours? Connect with our team now.
