Rights

Control access to objects. Examples:

  • Read/write files
  • Access shared folders

Assigned via: ACLs (Access Control Lists)

Privileges

Control actions a user can perform on a system. Examples:

  • Shut down a system
  • Debug processes
  • Dump credentials

Assigned via: Group membership / Group Policy (User Rights Assignment)

Built-in AD Groups

Active Directory has default groups that bundle powerful privileges. If a user is in one of these groups, they inherit those capabilities automatically.

Some of the most common built-in groups are:

Account Operators:
This group allows members to create and modify most user accounts, groups, and other directory objects.

However, it cannot manage high-privilege accounts like administrators or members of critical groups.

An attacker in this group can create new accounts, reset passwords, or manipulate existing non-protected users.

Administrators:
this group have complete and unrestricted control over a system, and if this group exists on a Domain Controller, it effectively means full control over the domain.

This includes installing software, modifying security settings, accessing any file, and managing all users. Compromising this group is equivalent to total system or domain compromise.

Backup Operators:
Members can bypass file permissions entirely and back up or restore any file on the system. This includes sensitive files like the SAM database and the NTDS.dit file, which store password hashes.

An attacker can use this capability to extract credentials and escalate privileges to Domain Admin. For this reason, Backup Operators should be treated as highly privileged.

DnsAdmins:
Members of this group can manage DNS zones, records, and server settings without being full Active Directory Domain Administrators.

The group will only be created if the DNS server role is or was at one time installed on a domain controller in the domain.

Domain Admins:
Members have full administrative access to the domain and are automatically administrators on all domain-joined machines.

Domain Computers:
This group contains all computers joined to the domain, except Domain Controllers.

Domain Controllers:
This group contains all Domain Controllers in the domain.

Domain Guests:
This group includes the built-in Guest account and is intended for very limited access.

Domain Users:
This group includes all user accounts in the domain by default. It is not privileged.

Enterprise Admins:
This group has full control over the entire Active Directory forest, not just a single domain. Members can create new domains, establish trust relationships, and manage global configurations.

Event Log Readers:
Members can read event logs on systems, including Domain Controllers.

Group Policy Creator Owners:
Members can create and modify Group Policy Objects (GPOs). Since GPOs can control system settings, user privileges, and security configurations, this group can indirectly escalate privileges.

Hyper-V Administrators:
This group has full control over virtual machines managed by Hyper-V. If Domain Controllers are running as virtual machines, members of this group can control them by accessing the underlying virtualization platform.

IIS_IUSRS:
This group is used by Internet Information Services (IIS) to run web applications.

Pre-Windows 2000 Compatible Access:
This is a legacy group designed for compatibility with older systems. It often grants broader read permissions than necessary. In modern environments, it is usually unnecessary and can introduce security risks by allowing users or even unauthenticated entities to read directory information.

Print Operators:
Members can manage printers and printer drivers on Domain Controllers. This includes installing drivers, which can be abused to execute malicious code.

Protected Users:
This group is designed to enhance security. Members are protected against certain types of credential theft, such as NTLM authentication and credential caching. It is typically used for high-value accounts to reduce the risk of compromise.

Read-only Domain Controllers:
This group contains Domain Controllers that have a read-only copy of the directory. These are used in environments where full DC security cannot be guaranteed.

Remote Desktop Users:
Members are allowed to log into systems using Remote Desktop Protocol.

Remote Management Users:
This group allows users to connect remotely via Windows Remote Management (WinRM), which is commonly used for PowerShell remoting. This enables remote command execution and is often used in both administration and attacks.

Schema Admins:
Members can modify the Active Directory schema, which defines how objects and attributes function.

Server Operators:
This group exists only on Domain Controllers. Members can manage services, access file shares, and perform backups. They also have the ability to log onto Domain Controllers.

User Rights Assignment

Depending on their current group membership, and other factors such as privileges that administrators can assign via Group Policy (GPO), users can have various rights assigned to their account.

For example, let’s say we can gain write access over a Group Policy Object (GPO) applied to an OU containing one or more users that we control. In this example, we could potentially leverage a tool such as SharpGPOAbuse to assign targeted rights to a user.

We may perform many actions in the domain to further our access with these new rights. A few examples include:

SeRemoteInteractiveLogonRight:
This allows a user to log onto a system via Remote Desktop (RDP).

SeBackupPrivilege:
Users with this privilege can bypass file permissions and back up any files on the system, including critical system files like the SAM and SYSTEM hives or the NTDS.dit file on a Domain Controller.

SeDebugPrivilege:
This privilege allows a user to debug or manipulate processes, including those running under high-privilege accounts like Local System. Tools such as Mimikatz exploit this privilege to read memory from the LSASS process, extracting credentials stored in RAM.

SeImpersonatePrivilege:
This allows a process or user to impersonate another user’s security token, including SYSTEM or administrative accounts. This privilege is commonly exploited using tools like JuicyPotato, RogueWinRM, or PrintSpoofer to escalate privileges on a target system.

SeLoadDriverPrivilege:
A user with this right can load and unload device drivers. Because drivers operate at the kernel level, this privilege can be exploited to execute malicious code with SYSTEM privileges.

SeTakeOwnershipPrivilege:
This grants the ability to take ownership of objects, such as files or folders.

The critical lesson is that even a single misassigned privilege can have far-reaching consequences in an Active Directory environment.

Administrators must carefully manage which accounts are granted these rights because an error can create a direct path for attackers to escalate privileges, compromise systems, and ultimately take over the domain.

From a security perspective, privileges like the ones listed above are considered high-value targets and should be assigned sparingly, monitored continuously, and combined with strict account separation and auditing to reduce risk.

whoami /priv

will give you a listing of all user rights assigned to the current user

For a standard domain user, the output is very minimal. You typically only see harmless privileges like:

  • SeChangeNotifyPrivilege (Enabled) allows basic file/folder traversal
  • SeIncreaseWorkingSetPrivilege (Disabled) allows a user or process to increase the working set of a process. The working set refers to the amount of physical memory (RAM) allocated to a specific process.

This shows that a normal user has almost no power.

When you look at a Domain Admin in a non-elevated session, the output still looks limited. You see a few extra privileges like:

  • SeShutdownPrivilege
  • SeTimeZonePrivilege
  • SeUndockPrivilege

And most are Disabled

This behavior is caused by User Account Control (UAC).

Even if your account is: Domain Admin or Local Administrator, Windows does not give full privileges to your processes by default.

Instead, it creates two tokens:

  1. Filtered token (non-elevated) limited privileges
  2. Full token (elevated) full admin privileges

When you open a normal CMD or PowerShell: you are using the filtered token