From e2099f9eb81b49d7740e779eae332ea3c5d76bf9 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 17 Aug 2016 17:45:46 -0700 Subject: [PATCH] Bringing AD security groups topic partly up to date --- .../active-directory-security-groups.md | 142 +++++++++++++----- 1 file changed, 107 insertions(+), 35 deletions(-) diff --git a/windows/keep-secure/active-directory-security-groups.md b/windows/keep-secure/active-directory-security-groups.md index 630308945a..222a412783 100644 --- a/windows/keep-secure/active-directory-security-groups.md +++ b/windows/keep-secure/active-directory-security-groups.md @@ -172,10 +172,10 @@ The following tables provide descriptions of the default groups that are located Default Security Group +Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 -Windows Server 2008 @@ -183,7 +183,7 @@ The following tables provide descriptions of the default groups that are located

[Access Control Assistance Operators](#bkmk-acasstops)

Yes

Yes

-

+

Yes

@@ -232,7 +232,7 @@ The following tables provide descriptions of the default groups that are located

[Cloneable Domain Controllers](#bkmk-cloneabledomaincontrollers)

Yes

Yes

-

+

Yes

@@ -327,7 +327,7 @@ The following tables provide descriptions of the default groups that are located

Yes

-

[Group Policy Creators Owners](#bkmk-gpcreatorsowners)

+

[Group Policy Creator Owners](#bkmk-gpcreatorsowners)

Yes

Yes

Yes

@@ -344,7 +344,7 @@ The following tables provide descriptions of the default groups that are located

[Hyper-V Administrators](#bkmk-hypervadministrators)

Yes

Yes

-

+

Yes

@@ -362,143 +362,164 @@ The following tables provide descriptions of the default groups that are located

Yes

+

[Key Admins](#key-admins)

+

Yes

+

+

+

+ +

[Network Configuration Operators](#bkmk-networkcfgoperators)

Yes

Yes

Yes

Yes

- +

[Performance Log Users](#bkmk-perflogusers)

Yes

Yes

Yes

Yes

- +

[Performance Monitor Users](#bkmk-perfmonitorusers)

Yes

Yes

Yes

Yes

- +

[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess)

Yes

Yes

Yes

Yes

- +

[Print Operators](#bkmk-printoperators)

Yes

Yes

Yes

Yes

- +

[Protected Users](#bkmk-protectedusers)

Yes

+

Yes

-

- +

[RAS and IAS Servers](#bkmk-rasandias)

Yes

Yes

Yes

Yes

- +

[RDS Endpoint Servers](#bkmk-rdsendpointservers)

Yes

Yes

-

-

- - -

[RDS Management Servers](#bkmk-rdsmanagementservers)

Yes

-

Yes

-

-

[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)

+

[RDS Management Servers](#bkmk-rdsmanagementservers)

+

Yes

Yes

Yes

-

+

[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)

+

Yes

+

Yes

+

Yes

+

+ +

[Read-only Domain Controllers](#bkmk-rodc)

Yes

Yes

Yes

Yes

- +

[Remote Desktop Users](#bkmk-remotedesktopusers)

Yes

Yes

Yes

Yes

- +

[Remote Management Users](#bkmk-remotemanagementusers)

Yes

Yes

-

+

Yes

- +

[Replicator](#bkmk-replicator)

Yes

Yes

Yes

Yes

- +

[Schema Admins](#bkmk-schemaadmins)

Yes

Yes

Yes

Yes

- +

[Server Operators](#bkmk-serveroperators)

Yes

Yes

Yes

Yes

+ +

[Storage Replica Administrators](#storage-replica-administrators)

+

Yes

+

+

+

+ +

[System Managed Accounts Group](#system-managed-accounts-group)

+

Yes

+

+

+

+ +

[Terminal Server License Servers](#bkmk-terminalserverlic)

Yes

Yes

Yes

Yes

- +

[Users](#bkmk-users)

Yes

Yes

Yes

Yes

- +

[Windows Authorization Access Group](#bkmk-winauthaccess)

Yes

Yes

Yes

Yes

- +

[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-)

-

Yes

-

Yes

+

Yes

+

Yes

@@ -2196,7 +2217,23 @@ This security group has not changed since Windows Server 2008. -  +### Key Admins + +Members of this group can perform administrative actions on key objects within the domain. + +The Key Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). + +| Attribute | Value | +|-----------|-------| +| Well-Known SID/RID | S-1-5-21-4195037842-338827918-94892514-526 | +| Type | Global | +| Default container | CN=Users, DC=<domain>, DC= | +| Default members | None | +| Default member of | None | +| Protected by ADMINSDHOLDER? | No | +| Safe to delegate management of this group to non-Service admins? | No | + + ### Network Configuration Operators @@ -3299,7 +3336,42 @@ This security group has not changed since Windows Server 2008. -  +### Storage Replica Administrators + +Members of this group have complete and unrestricted access to all features of Storage Replica. + +The Storage Replica Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). + +| Attribute | Value | +|-----------|-------| +| Well-Known SID/RID | S-1-5-32-582 | +| Type | BuiltIn Local | +| Default container | CN=BuiltIn, DC=<domain>, DC= | +| Default members | None | +| Default member of | None | +| Protected by ADMINSDHOLDER? | No | +| Safe to delegate management of this group to non-Service admins? | No | + + + +### System Managed Accounts Group + +Members of this group are managed by the system. + +The System Managed Accounts group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). + + +| Attribute | Value | +|-----------|-------| +| Well-Known SID/RID | S-1-5-32-581 | +| Type | BuiltIn Local | +| Default container | CN=BuiltIn, DC=<domain>, DC= | +| Default members | Users | +| Default member of | None | +| Protected by ADMINSDHOLDER? | No | +| Safe to delegate management of this group to non-Service admins? | No | + + ### Terminal Server License Servers