Active Directory groups and permissons,
Active Directory’de bulunan grupların yetkileri ve genel özellikleri ile ilgili bilgiler aşağıdaki tabloda bulunmaktadır.
| Account or Group | Default Container, Group Scope and Type | Description and Default User Rights |
| Access Control Assistance Operators (Active Directory in Windows Server 2012) | Built-in container | Members of this group can remotely query authorization attributes and permissions for resources on this computer. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Account Operators | Built-in container | Members can administer domain user and group accounts. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Administrator account | Users container | Built-in account for administering the domain. |
| Not a group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Adjust memory quotas for a process | ||
| Allow log on locally | ||
| Allow log on through Remote Desktop Services | ||
| Back up files and directories | ||
| Bypass traverse checking | ||
| Change the system time | ||
| Change the time zone | ||
| Create a pagefile | ||
| Create global objects | ||
| Create symbolic links | ||
| Debug programs | ||
| Enable computer and user accounts to be trusted for delegation | ||
| Force shutdown from a remote system | ||
| Impersonate a client after authentication | ||
| Increase a process working set | ||
| Increase scheduling priority | ||
| Load and unload device drivers | ||
| Log on as a batch job | ||
| Manage auditing and security log | ||
| Modify firmware environment values | ||
| Perform volume maintenance tasks | ||
| Profile single process | ||
| Profile system performance | ||
| Remove computer from docking station | ||
| Restore files and directories | ||
| Shut down the system | ||
| Take ownership of files or other objects | ||
| Administrators group | Built-in container | Administrators have complete and unrestricted access to the domain. |
| Domain-local security group | Direct user rights: | |
| Access this computer from the network | ||
| Adjust memory quotas for a process | ||
| Allow log on locally | ||
| Allow log on through Remote Desktop Services | ||
| Back up files and directories | ||
| Bypass traverse checking | ||
| Change the system time | ||
| Change the time zone | ||
| Create a pagefile | ||
| Create global objects | ||
| Create symbolic links | ||
| Debug programs | ||
| Enable computer and user accounts to be trusted for delegation | ||
| Force shutdown from a remote system | ||
| Impersonate a client after authentication | ||
| Increase scheduling priority | ||
| Load and unload device drivers | ||
| Log on as a batch job | ||
| Manage auditing and security log | ||
| Modify firmware environment values | ||
| Perform volume maintenance tasks | ||
| Profile single process | ||
| Profile system performance | ||
| Remove computer from docking station | ||
| Restore files and directories | ||
| Shut down the system | ||
| Take ownership of files or other objects | ||
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Allowed RODC Password Replication Group | Users container | Members in this group can have their passwords replicated to all read-only domain controllers in the domain. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Backup Operators | Built-in container | Backup Operators can override security restrictions for the sole purpose of backing up or restoring files. |
| Domain-local security group | Direct user rights: | |
| Allow log on locally | ||
| Back up files and directories | ||
| Log on as a batch job | ||
| Restore files and directories | ||
| Shut down the system | ||
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Cert Publishers | Users container | Members of this group are permitted to publish certificates to the directory. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Certificate Service DCOM Access | Built-in container | If Certificate Services is installed on a domain controller (not recommended), this group grants DCOM enrollment access to Domain Users and Domain Computers. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Cloneable Domain Controllers (AD DS in Windows Server 2012AD DS) | Users container | Members of this group that are domain controllers may be cloned. |
| Global security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Cryptographic Operators | Built-in container | Members are authorized to perform cryptographic operations. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Debugger Users | This is neither a default nor a built-in group, but when present in AD DS, is cause for further investigation. | The presence of a Debugger Users group indicates that debugging tools have been installed on the system at some point, whether via Visual Studio, SQL, Office, or other applications that require and support a debugging environment. This group allows remote debugging access to computers. When this group exists at the domain level, it indicates that a debugger or an application that contains a debugger has been installed on a domain controller. |
| Denied RODC Password Replication Group | Users container | Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| DHCP Administrators | Users container | Members of this group have administrative access to the DHCP Server service. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| DHCP Users | Users container | Members of this group have view-only access to the DHCP Server service. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Distributed COM Users | Built-in container | Members of this group are allowed to launch, activate, and use distributed COM objects on this computer. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| DnsAdmins | Users container | Members of this group have administrative access to the DNS Server service. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| DnsUpdateProxy | Users container | Members of this group are DNS clients who are permitted to perform dynamic updates on behalf of clients that cannot themselves perform dynamic updates. Members of this group are typically DHCP servers. |
| Global security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Domain Admins | Users container | Designated administrators of the domain; Domain Admins is a member of every domain-joined computer’s local Administrators group and receives rights and permissions granted to the local Administrators group, in addition to the domain’s Administrators group. |
| Global security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Adjust memory quotas for a process | ||
| Allow log on locally | ||
| Allow log on through Remote Desktop Services | ||
| Back up files and directories | ||
| Bypass traverse checking | ||
| Change the system time | ||
| Change the time zone | ||
| Create a pagefile | ||
| Create global objects | ||
| Create symbolic links | ||
| Debug programs | ||
| Enable computer and user accounts to be trusted for delegation | ||
| Force shutdown from a remote system | ||
| Impersonate a client after authentication | ||
| Increase a process working set | ||
| Increase scheduling priority | ||
| Load and unload device drivers | ||
| Log on as a batch job | ||
| Manage auditing and security log | ||
| Modify firmware environment values | ||
| Perform volume maintenance tasks | ||
| Profile single process | ||
| Profile system performance | ||
| Remove computer from docking station | ||
| Restore files and directories | ||
| Shut down the system | ||
| Take ownership of files or other objects | ||
| Domain Computers | Users container | All workstations and servers that are joined to the domain are by default members of this group. |
| Global security group | Default direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Domain Controllers | Users container | All domain controllers in the domain. Note: Domain controllers are not a member of the Domain Computers group. |
| Global security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Domain Guests | Users container | All guests in the domain |
| Global security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Domain Users | Users container | All users in the domain |
| Global security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Enterprise Admins (exists only in forest root domain) | Users container | Enterprise Admins have permissions to change forest-wide configuration settings; Enterprise Admins is a member of every domain’s Administrators group and receives rights and permissions granted to that group. |
| Universal security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Adjust memory quotas for a process | ||
| Allow log on locally | ||
| Allow log on through Remote Desktop Services | ||
| Back up files and directories | ||
| Bypass traverse checking | ||
| Change the system time | ||
| Change the time zone | ||
| Create a pagefile | ||
| Create global objects | ||
| Create symbolic links | ||
| Debug programs | ||
| Enable computer and user accounts to be trusted for delegation | ||
| Force shutdown from a remote system | ||
| Impersonate a client after authentication | ||
| Increase a process working set | ||
| Increase scheduling priority | ||
| Load and unload device drivers | ||
| Log on as a batch job | ||
| Manage auditing and security log | ||
| Modify firmware environment values | ||
| Perform volume maintenance tasks | ||
| Profile single process | ||
| Profile system performance | ||
| Remove computer from docking station | ||
| Restore files and directories | ||
| Shut down the system | ||
| Take ownership of files or other objects | ||
| Enterprise Read-only Domain Controllers | Users container | This group contains the accounts for all read-only domain controllers in the forest. |
| Universal security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Event Log Readers | Built-in container | Members of this group in can read the event logs on domain controllers. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Group Policy Creator Owners | Users container | Members of this group can create and modify Group Policy Objects in the domain. |
| Global security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Guest | Users container | This is the only account in an AD DS domain that does not have the Authenticated Users SID added to its access token. Therefore, any resources that are configured to grant access to the Authenticated Users group will not be accessible to this account. This behavior is not true of members of the Domain Guests and Guests groups, however- members of those groups do have the Authenticated Users SID added to their access tokens. |
| Not a group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Guests | Built-in container | Guests have the same access as members of the Users group by default, except for the Guest account, which is further restricted as described earlier. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Hyper-V Administrators (Windows Server 2012) | Built-in container | Members of this group have complete and unrestricted access to all features of Hyper-V. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| IIS_IUSRS | Built-in container | Built-in group used by Internet Information Services. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Incoming Forest Trust Builders (exists only in forest root domain) | Built-in container | Members of this group can create incoming, one-way trusts to this forest. (Creation of outbound forest trusts is reserved for Enterprise Admins.) |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Krbtgt | Users container | The Krbtgt account is the service account for the Kerberos Key Distribution Center in the domain. This account has access to all accounts’ credentials stored in Active Directory. This account is disabled by default and should never be enabled |
| Not a group | User rights: N/A | |
| Network Configuration Operators | Built-in container | Members of this group are granted privileges that allow them to manage configuration of networking features. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Performance Log Users | Built-in container | Members of this group can schedule logging of performance counters, enable trace providers, and collect event traces locally and via remote access to the computer. |
| Domain-local security group | Direct user rights: | |
| Log on as a batch job | ||
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Performance Monitor Users | Built-in container | Members of this group can access performance counter data locally and remotely. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Pre-Windows 2000 Compatible Access | Built-in container | This group exists for backward compatibility with operating systems prior to Windows 2000 Server, and it provides the ability for members to read user and group information in the domain. |
| Domain-local security group | Direct user rights: | |
| Access this computer from the network | ||
| Bypass traverse checking | ||
| Inherited user rights: | ||
| Add workstations to domain | ||
| Increase a process working set | ||
| Print Operators | Built-in container | Members of this group can administer domain printers. |
| Domain-local security group | Direct user rights: | |
| Allow log on locally | ||
| Load and unload device drivers | ||
| Shut down the system | ||
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| RAS and IAS Servers | Users container | Servers in this group can read remote access properties on user accounts in the domain. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| RDS Endpoint Servers (Windows Server 2012) | Built-in container | Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| RDS Management Servers (Windows Server 2012) | Built-in container | Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| RDS Remote Access Servers (Windows Server 2012) | Built-in container | Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Read-only Domain Controllers | Users container | This group contains all read-only domain controllers in the domain. |
| Global security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Remote Desktop Users | Built-in container | Members of this group are granted the right to log on remotely using RDP. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Remote Management Users (Windows Server 2012) | Built-in container | Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Replicator | Built-in container | Supports legacy file replication in a domain. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Schema Admins (exists only in forest root domain) | Users container | Schema admins are the only users who can make modifications to the Active Directory schema, and only if the schema is write-enabled. |
| Universal security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Server Operators | Built-in container | Members of this group can administer domain servers. |
| Domain-local security group | Direct user rights: | |
| Allow log on locally | ||
| Back up files and directories | ||
| Change the system time | ||
| Change the time zone | ||
| Force shutdown from a remote system | ||
| Restore files and directories | ||
| Shut down the system | ||
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Terminal Server License Servers | Built-in container | Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage |
| Domain-local security group | Default direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| Users | Built-in container | Users have permissions that allow them to read many objects and attributes in Active Directory, although they cannot change most. Users are prevented from making accidental or intentional system-wide changes and can run most applications. |
| Domain-local security group | Direct user rights: | |
| Increase a process working set | ||
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Windows Authorization Access Group | Built-in container | Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set | ||
| WinRMRemoteWMIUsers_ (Windows Server 2012) | Users container | Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. |
| Domain-local security group | Direct user rights: None | |
| Inherited user rights: | ||
| Access this computer from the network | ||
| Add workstations to domain | ||
| Bypass traverse checking | ||
| Increase a process working set |
Azure Security - Cyber Security 