diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 05ea62503f..4d1ebc58cb 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -313,217 +313,217 @@ The following tables provide descriptions of the default groups that are located
Yes |
Yes |
-
+
[Enterprise Key Admins](#bkmk-enterprise-key-admins) |
Yes |
|
|
|
-
+
[Enterprise Read-only Domain Controllers](#bkmk-entrodc) |
Yes |
Yes |
Yes |
Yes |
-
+
[Event Log Readers](#bkmk-eventlogreaders) |
Yes |
Yes |
Yes |
Yes |
-
+
[Group Policy Creator Owners](#bkmk-gpcreatorsowners) |
Yes |
Yes |
Yes |
Yes |
-
+
[Guests](#bkmk-guests) |
Yes |
Yes |
Yes |
Yes |
-
+
[Hyper-V Administrators](#bkmk-hypervadministrators) |
Yes |
Yes |
Yes |
|
-
+
[IIS_IUSRS](#bkmk-iis-iusrs) |
Yes |
Yes |
Yes |
Yes |
-
+
[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs) |
Yes |
Yes |
Yes |
Yes |
-
+
[Key Admins](#key-admins) |
Yes |
|
|
|
-
+
[Network Configuration Operators](#bkmk-networkcfgoperators) |
Yes |
Yes |
Yes |
Yes |
-
+
[Performance Log Users](#bkmk-perflogusers) |
Yes |
Yes |
Yes |
Yes |
-
+
[Performance Monitor Users](#bkmk-perfmonitorusers) |
Yes |
Yes |
Yes |
Yes |
-
+
[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess) |
Yes |
Yes |
Yes |
Yes |
-
+
[Print Operators](#bkmk-printoperators) |
Yes |
Yes |
Yes |
Yes |
-
+
[Protected Users](#bkmk-protectedusers) |
Yes |
Yes |
|
|
-
+
[RAS and IAS Servers](#bkmk-rasandias) |
Yes |
Yes |
Yes |
Yes |
-
+
[RDS Endpoint Servers](#bkmk-rdsendpointservers) |
Yes |
Yes |
Yes |
|
-
+
[RDS Management Servers](#bkmk-rdsmanagementservers) |
Yes |
Yes |
Yes |
|
-
+
[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers) |
Yes |
Yes |
Yes |
|
-
+
[Read-only Domain Controllers](#bkmk-rodc) |
Yes |
Yes |
Yes |
Yes |
-
+
[Remote Desktop Users](#bkmk-remotedesktopusers) |
Yes |
Yes |
Yes |
Yes |
-
+
[Remote Management Users](#bkmk-remotemanagementusers) |
Yes |
Yes |
Yes |
|
-
+
[Replicator](#bkmk-replicator) |
Yes |
Yes |
Yes |
Yes |
-
+
[Schema Admins](#bkmk-schemaadmins) |
Yes |
Yes |
Yes |
Yes |
-
+
[Server Operators](#bkmk-serveroperators) |
Yes |
Yes |
Yes |
Yes |
-
+
[Storage Replica Administrators](#storage-replica-administrators) |
Yes |
|
|
|
-
+
[System Managed Accounts Group](#system-managed-accounts-group) |
Yes |
|
|
|
-
+
[Terminal Server License Servers](#bkmk-terminalserverlic) |
Yes |
Yes |
Yes |
Yes |
-
+
[Users](#bkmk-users) |
Yes |
Yes |
Yes |
Yes |
-
+
[Windows Authorization Access Group](#bkmk-winauthaccess) |
Yes |
Yes |
Yes |
Yes |
-
+
[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-) |
|
Yes |
@@ -1763,8 +1763,25 @@ This security group has not changed since Windows Server 2008.
-
+### Enterprise Key Admins
+Members of this group can perform administrative actions on key objects within the forest.
+
+The Enterprise Key Admins group was introduced in Windows Server 2016.
+
+| Attribute | Value |
+|-----------|-------|
+| Well-Known SID/RID | S-1-5-21-<domain>-527 |
+| Type | Global |
+| Default container | CN=Users, DC=<domain>, DC= |
+| Default members | None |
+| Default member of | None |
+| Protected by ADMINSDHOLDER? | No |
+| Safe to move out of default container? | Yes |
+| Safe to delegate management of this group to non-Service admins? | No |
+| Default User Rights | None |
+
+
### Enterprise Read-Only Domain Controllers
Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller.
@@ -2233,7 +2250,7 @@ The Key Admins group applies to versions of the Windows Server operating system
| Attribute | Value |
|-----------|-------|
-| Well-Known SID/RID | S-1-5-21-4195037842-338827918-94892514-526 |
+| Well-Known SID/RID | S-1-5-21-<domain>-526 |
| Type | Global |
| Default container | CN=Users, DC=<domain>, DC= |
| Default members | None |