Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

3.1.1.6.1.2 Protected Objects

In domain d, the set S of all security principal objects o that are protected is defined as follows:

  • (o!objectClass = group AND attribute o!groupType & GROUP_TYPE_SECURITY_ENABLED ≠ 0) OR (o!objectClass = user)

  • AND (o!objectSid = d!objectSid + RID)

  • AND either

    • o is a member, directly or transitively, of any group in the set:

      • built-in well-known group with RID = DOMAIN_ALIAS_RID_ADMINS

      • built-in well-known group with RID = DOMAIN_ALIAS_RID_ACCOUNT_OPS

      • built-in well-known group with RID = DOMAIN_ALIAS_RID_SYSTEM_OPS

      • built-in well-known group with RID = DOMAIN_ALIAS_RID_PRINT_OPS

      • built-in well-known group with RID = DOMAIN_ALIAS_RID_BACKUP_OPS

      • built-in well-known group with RID = DOMAIN_ALIAS_RID_REPLICATOR

      • account domain well-known group with RID = DOMAIN_GROUP_RID_ADMINS

      • account domain well-known group with RID = DOMAIN_GROUP_RID_SCHEMA_ADMINS

      • account domain well-known group with RID = DOMAIN_GROUP_RID_ENTERPRISE_ADMINS

    • OR, is one of the following well-known security principals:

      • of class user with RID = DOMAIN_USER_RID_ADMIN

      • of class user with RID = DOMAIN_USER_RID_KRBTGT

      • of class group with RID = DOMAIN_GROUP_RID_CONTROLLERS

      • of class group with RID = DOMAIN_GROUP_RID_READONLY_CONTROLLERS

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.