Active Directory Documentation Team has put on the web interesting post about default permissions of Account Operators (AO) group which might be present on DC object as a result of ACLs placed earlier on computer object.
In short words:
- AO are being granted permissions to manage many objects in a domain, among others also computer objects
- By default AO are being granted with Full control permissions on computer object.
- If such computer will be promoted later to DC role these permissions last on this object
- Effectively giving AO Full control right on this object.
- It applies to objects created in Windows 2003 and Windows 2008 R2 based directories
- It doesn’t apply to directory created from the scratch with Windows 2008
- Remedy is simple:
- Just edit object’s ACLs and correct AO permissions to meet your organization standards.
In general I don’t like to repeat other posts but I thought that this one is interesting.