The Active Directory Documentation Team has pointed out what “I” consider as a vulnerability with the built-in Active Directory Account Operators group, which applies to Domain Controllers. Under certain conditions, which are very common, the Account Operators group retains the Full Control permission on the computer object for a domain controller. As you could imagine, this is not desired in almost every case.

From the Active Directory Documentation Team’s post:

By default, a newly created computer account is assigned an “Account Ops-FC” access control entry (ACE) that gives members of the Account Operators group full control over the computer account. If a server that is represented by this computer account is promoted to a domain controller, the computer account retains this “Account Ops-FC” ACE and therefore, members of the Account Operators group will have full control on this domain controller, which is not a recommended configuration.

In my 10 years working with AD, I have yet to run into a case where members of the Account Operators group needed any permissions on the computer object for DCs, let alone the Full Control permission.

The fix is obvious, modify the Access Control List (ACL) on each computer object for your DCs.

This vulnerability further supports the point I’ve made many times: implement delegation models and do not leverage built-in groups. If you need more reasons, check out my previous posts Understanding AdminSDHolder and Protected Groups and Active Directory – Gone in 60 Seconds.