Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
3.1.1.6.1.2 Protected Objects

3.1.1.6.1.2 Protected Objects

In domain d, the set S of all security principal objects o that are protected is defined as follows:

  • (o!objectClass = group AND attribute o!groupType & GROUP_TYPE_SECURITY_ENABLED ≠ 0) OR (o!objectClass = user)

  • AND (o!objectSid = d!objectSid + RID)

  • AND either

    • o is a member, directly or transitively, of any group in the set:

      • built-in well-known group with RID = DOMAIN_ALIAS_RID_ADMINS

      • built-in well-known group with RID = DOMAIN_ALIAS_RID_ACCOUNT_OPS

      • built-in well-known group with RID = DOMAIN_ALIAS_RID_SYSTEM_OPS

      • built-in well-known group with RID = DOMAIN_ALIAS_RID_PRINT_OPS

      • built-in well-known group with RID = DOMAIN_ALIAS_RID_BACKUP_OPS

      • built-in well-known group with RID = DOMAIN_ALIAS_RID_REPLICATOR

      • account domain well-known group with RID = DOMAIN_GROUP_RID_ADMINS

      • account domain well-known group with RID = DOMAIN_GROUP_RID_SCHEMA_ADMINS

      • account domain well-known group with RID = DOMAIN_GROUP_RID_ENTERPRISE_ADMINS

    • OR, is one of the following well-known security principals:

      • of class user with RID = DOMAIN_USER_RID_ADMIN

      • of class user with RID = DOMAIN_USER_RID_KRBTGT

      • of class group with RID = DOMAIN_GROUP_RID_CONTROLLERS

      • of class group with RID = DOMAIN_GROUP_RID_READONLY_CONTROLLERS

Show:
© 2015 Microsoft