Special groups

Theory
In the Windows Server operating system, there are several built-in accounts and security groups that are preconfigured with the appropriate rights and permissions to perform specific tasks. (Microsoft)
There are scenarios where testers can obtain full control over members of built-in security groups. The usual targets are members of the "Administrators", "Domain Admins" or "Entreprise Admins" groups, however, other groups can sometimes lead to major privileges escalation.
Practice
Below is a table summing up some groups' rights and abuse paths.
Security Group
Rights and abuses
Account Operators
its members can create and manage users and groups, including its own membership and that of the Server Operators group (e.g. add a member to a group)
​
​🔥at the time of writing (12th, April 2021) members can sometimes also escalate through the "Entreprise Key Admins" group and obtain full control over the root domain (read the ADPREP bug). 
Administrators
full admin rights to the Active Directory domain and Domain Controllers
Backup Operators
can backup or restore Active Directory and have logon rights to Domain Controllers
Server Operators
its members can sign-in to a server, start and stop services, access domain controllers, perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers
DnsAdmins
can read, write, create, delete DNS records (e.g. edit the wildcard record if it already exists). Its members can also run code via DLL on a Domain Controller operating as a DNS server.
Domain Admins
full admin rights to the Active Directory domain, all computers, workstations, servers, users and so on
Entreprise Admins
full admin rights to all Active Directory domains in the AD forest
Group Policy Creators Owners
create Group Policies in the domain. Its members can't apply group policies to users or group or edit existing GPOs
Resources
Scanning for Active Directory Privileges & Privileged Accounts
Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization. I covered ways to enumerate permissions in AD using PowerView (written by Will @harmj0y) during my Black Hat & DEF CON talks in 2016 from both a Blue Team ...
adsecurity.org
Security identifiers (Windows 10) - Microsoft 365 Security
Security identifiers
docs.microsoft.com
​

Group Policy Objects (GPOs)

Domain settings

Last updated 2 weeks ago

Security Group	Rights and abuses
Account Operators	its members can create and manage users and groups, including its own membership and that of the Server Operators group (e.g. add a member to a group) 🔥at the time of writing (12th, April 2021) members can sometimes also escalate through the "Entreprise Key Admins" group and obtain full control over the root domain (read the ADPREP bug).
Administrators	full admin rights to the Active Directory domain and Domain Controllers
Backup Operators	can backup or restore Active Directory and have logon rights to Domain Controllers
Server Operators	its members can sign-in to a server, start and stop services, access domain controllers, perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers
DnsAdmins	can read, write, create, delete DNS records (e.g. edit the wildcard record if it already exists). Its members can also run code via DLL on a Domain Controller operating as a DNS server.
Domain Admins	full admin rights to the Active Directory domain, all computers, workstations, servers, users and so on
Entreprise Admins	full admin rights to all Active Directory domains in the AD forest
Group Policy Creators Owners	create Group Policies in the domain. Its members can't apply group policies to users or group or edit existing GPOs