I just got a new job a few weeks ago, and I noticed that somehow Active Directory is allowing standard users to modify users and groups in Active Directory Users and Computers. Even though the standard users have not been delegated any control.
I created some test accounts in our Active Directory domain, and all of the test accounts have full access to Active Directory Users and Computers. Providing that Remote Server Administration Tools is already installed on their client system.
I setup a new test domain in a virtual machine using Server 2012 R2. Then I joined a test Windows 10 vm to the domain and the standard user was not able to make any changes to Active Directory. The test user can open Active Directory Users and Computers; but they can’t make any changes.
So there is something majorly wrong with our production Active Directory domain. I just don’t know where to look or how to resolve this issue. I looked at our default domain policy and there wasn’t anything there about giving users access to the domain.