High risk AD permissions

Can anyone provide their top 5-10 higher risk security permissions for AD objects? I was thinking along the lines of:

1) Users who can reset passwords for accounts other than their own
2) Users who can add members to high security groups such as "domain admins"

etc

Also - what is the exact permission in the security ACL for a domain group that shows which users can ADD new members into this group?
LVL 3
pma111Asked:
Who is Participating?
 
arnoldConnect With a Mentor Commented:
Password reset option usually limit the reset to accounts with similar or lower level i.e. a limited user in an OU that has OU password reset option will not be able to reset Administrator account password.
It would depend on the reset delegation.
The user will have write/modify rights in the OU/group security
Making a user member of the account operators.
Group.

The delegation command line tools:
http://technet.microsoft.com/en-us/library/cc756087%28v=ws.10%29.aspx

server operators, etc. several rights if granted to the wrong people could be hazardous to the enterprise.  not sure what you are trying to get to.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.