The principle of least privilege

The principle of least privilege

Carefully manage the default groups that provide administrative privileges because they typically have broader privileges than are necessary for most delegated environments, and because they often apply protection to their members.

The Account Operators group is a good example of this. If you examine the capabilities of the Account Operators group, you can see that members of this group have very broad rights—they can even sign in locally to a domain controller. In very small networks, such rights may be assigned to one or two individuals who are typically domain administrators anyway. However, in large enterprises, the rights and permissions granted to Account Operators are usually far too broad.