Active Directory Account Operator Modifying Groups Which Inherit Privileged Groups [migrated]
In active directory, if an account I have access to has Account Operators group, by default, is possible to add myself to a group which is inherits Domain Admins group?
For instance, I have a group named Tier 3 Admins which is part of Domain Admins group as shown in the image below:
The account I control has access to the Account Operators group, but remembering that Account Operators group cannot modify protected groups such as Domain Admins, this should not be possible, right?
When testing, I find that this is not true, and I can indeed add myself to the Tier 3 Admins group. Does the Tier 3 Admins not inherit the ACLs of the protected group Domain Admins? How is this possible.
Below is an image of my user, jsmith, adding myself to the Tier 3 Admins group as Account Operators, thus gaining Domain Admin privileges.