How does the DRA Special Groups Policy work?

Microsoft Active Directory (AD) contains several built-in special security groups. These are groups that, by default allow for elevated permissions within AD. In an effort to protect the security of AD, DRA can be configured to restrict modifications to AD users who are directly or indirectly members of those groups.

To modify the policy related to Special Groups, you will need to use the Delegation and Configuration (D&C) Console to modify the policy. The D&C console must be connected to the Primary DRA Server, and run in the context of a DRA Assistant Administrator with DRA Administration Powers. The Policy is located under the Policy and Automation Management Node.

When this policy is enabled, DRA uses the following validation tests to determine whether an action is permitted on a native built-in security group or its members:

• If you are a Microsoft Windows administrator, you can perform actions on native built-in security groups and their members for which you have the appropriate powers.
• If you are a member of a built-in security group, you can perform actions on the same built-in security group and its members, as long as you have the appropriate powers.
• If you are not a member of a built-in security group, you cannot modify a built-in security group or its members

DRA has the Special Groups policy to enable DRA Administrators to restrict modification of either the members of special groups or the groups themselves. This enabled the DRA Administrator the ability to further control security within the DRA product.

The following is a list of Default Service Administrator Groups and Accounts:

• Schema Admins
• Administrators
• Domain Admins
• Server Operators
• Account Operators
• Backup Operators
• DS Restore Mode Administrator