its members can create and manage users and groups, including its own membership and that of the Server Operators group (e.g. add a member to a group) its members can also be used to help abuse user accounts with unconstrained delegations since Account Operators can edit users SPNs. "This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved." (docs.microsoft.com) at the time of writing (12th, April 2021) members can sometimes also escalate through the "Enterprise Key Admins" group and obtain full control over the root domain (read the ADPREP bug).
full admin rights to the Active Directory domain and Domain Controllers
can backup or restore Active Directory and have logon rights to Domain Controllers
its members can remotely backup the necessary registry hives to dump SAM & LSA secrets and then conduct a DCSync
its members can sign-in to a server, start and stop services, access domain controllers, perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers
full admin rights to the Active Directory domain, all computers, workstations, servers, users and so on
full admin rights to all Active Directory domains in the AD forest
modify the schema structure of the Active Directory. Only the objects created after the modification are affected.
Group Policy Creators Owners
create Group Policies in the domain. Its members can't apply group policies to users or group or edit existing GPOs
its members usually are the servers where AD CS is installed