To provide a more secure environment, DRA allows you to limit the powers given to Microsoft Windows built-in security groups. The ability to modify group membership, built-in security group properties, or properties of the group members can have important security implications. For example, if you can change the password of a user in the Server Operators group, you can then log on as that user and exercise the powers delegated to this built-in security group.
DRA prevents this security issue by providing a policy that checks the powers you have for a native built-in security group and its members. This validation ensures that your requested actions do not escalate these powers. After you enable this policy, an AA who is a member of a built-in security group, such as the Server Operators group, can only manage other members of the same group.
You can restrict the powers of the following Microsoft Windows built-in security groups using DRA policies:
Account Operators
Administrators
Backup Operators
Cert Publishers
DNS Admins
Domain Admins
Enterprise Admins
Group Policy Creator Owners
Print Operators
Schema Admins
NOTE:DRA refers to the built-in security groups by their internal identifiers. As a result, DRA supports these groups even if the groups are renamed. This feature ensures that DRA supports built-in security groups with different names in different countries. For example, DRA refers to the Administrators group and the Administratoren group with the same internal identifier.
DRA uses policy to limit the power native built-in security groups and their members can exercise. This policy, called $SpecialGroupsPolicy, restricts the actions a member of a native built-in security group can perform on other members or other native built-in security groups. DRA enables this policy by default. If you do not want to restrict actions on native built-in security groups and their members, you can disable this policy.
When this policy is enabled, DRA uses the following validation tests to determine whether an action is permitted on a native built-in security group or its members:
If you are a Microsoft Windows administrator, you can perform actions on native built-in security groups and their members for which you have the appropriate powers.
If you are a member of a built-in security group, you can perform actions on the same built-in security group and its members, as long as you have the appropriate powers.
If you are not a member of a built-in security group, you cannot modify a built-in security group or its members.
For example, if you are a member of the Server Operators and Account Operators groups and you have the appropriate powers, you can perform actions on members of the Server Operators group, members of the Account Operators group, or members of both groups. However, you cannot perform actions on a user account that is a member of the Print Operators group and the Account Operators group.
DRA restricts you from performing the following actions on native built-in security groups:
Cloning a group
Creating a group
Deleting a group
Adding a member to a group
Removing a member from a group
Moving a group to an OU
Modifying properties of a group
Copying a mailbox
Removing a mailbox
Cloning a user account
Creating a user account
Deleting a user account
Moving a user account to an OU
Modifying user account properties
DRA also restricts actions to ensure you do not gain powers over an object. For example, when you add a user account to a group, DRA checks to ensure you do not gain additional powers over the user account because it is a member of that group. This validation helps protect against an escalation of power.