<aside> 🪟 The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including accounts for users, Local groups, and Global groups. Group members can log in locally to domain controllers.
Members of the Account Operators group can’t manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group can’t modify user rights.
The Account Operators group applies to the Windows Server operating system in the Default Active Directory security groups list.
</aside>
Account Operators can modify user objects for any user that is not a member of one of the protected groups (Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups).
This means that if you find a user that is not a Domain Admin but has administrative access to a sensitive server, you can simply modify their password and log in as them. For example, you identify ADMIN_john.doe is not a member of any of the protected groups but has local admin access to a server running an IT password manager software, it is possible to compromise their account by resetting their password:
Set-ADAccountPassword -Identity "brittanycr" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password1234_" -Force)