Can anyone provide their top 5-10 higher risk security permissions for AD objects? I was thinking along the lines of:
1) Users who can reset passwords for accounts other than their own
2) Users who can add members to high security groups such as "domain admins"
Also - what is the exact permission in the security ACL for a domain group that shows which users can ADD new members into this group?