Laura Robinson (Microsoft) has 2 posts which are excellent resources when working on your Active Directory delegation model. These posts focus on the concept of an “Admin-Free Active Directory” meaning that there are no accounts in the powerful AD groups: Enterprise Admins, Domain Admins, Administrators, & Schema Admins.
The posts also list all of the groups that, by default, have the rights to log onto Domain Controllers. These groups need to be tightly controlled and monitored.
These groups are listed here:
- Enterprise Admins (admin on all DCs in the forest)
- Domain Admins
- Server Admins
- Backup Operators
- Account Operators
- Print Operators
- Remote Desktop Users
The last three groups on this list may surprise you. If so, you may want to audit membership in these groups since accounts in any of these groups have log on locally rights to the Domain Controllers in the domain.