Protect-Power-Groups-From-Account-Operators
Protect-Power-Groups-From-Account-Operators
But if you have a nested group in Domain Admins, for example "IT Staff", the nested group is not protected. This means anyone with Account Operators could effectively mint a new domain admin by adding a user to the IT Staff nested group. This presents a path to security escalation that is not normally intended.
This command walks the nested group membership tree of the domain and ensures that Account Operators is prevented from adding members to any group that gives administrator-equivalent access. This includes natural power groups, and all AuthLite-protected groups set into the User Group Pairs dialog.