UAC modified groups

So I was searching for which groups that User Access Control (UAC) removes from the default kerberos ticket. After alot of googling, and even reading the old UAC blog. So I decided to make the list myself. And not finding it I decided to build the list.

But first what is UAC?

UAC helps secure a system by removing some groups from the kerberos ticket used by Explorer.exe. When you run a program as Administrator it will run with the full kerberos ticket.

Which windows groups are removed from the default kerberos ticket?

Removed groups SID
Print Operators S-1-5-32-550
Administrators S-1-5-32-544
Account Operators S-1-5-32-548
Network Configuration Operators S-1-5-32-556
Pre-Windows 2000 Compatible Access S-1-5-32-554
Backup Operators S-1-5-32-551
Server Operator S-1-5-32-549
Domain Admins S-1-5-21-domain-512
Read-only Domain Controllers S-1-5-21-domain-521
Domain Controllers S-1-5-21-domain-516
Group Policy Creator Owners S-1-5-21-domain-520
Enterprise Read-only Domain Controllers S-1-5-21-domain-498
Enterprise Admins S-1-5-21-domain-519
Schema Admins S-1-5-21-domain-518
Cert Publishers S-1-5-21-domain-517
RAS and IAS Servers S-1-5-21-domain-553

So if you depend on any of those groups UAC will make it harder. So lets start by creating administrative groups instead of using just Domain Admins.

Leave a Reply