Re: Server 2003 Administration Pack Security Flaw?
From: David Everett [MSFT] (deverett_at_online.microsoft.com)
Date: 08/20/04
- Next message: Tom Bain: "Re: Password Policy"
- Previous message: Matt Williams: "Problem with adding BlockXPSP2 adm to a GPO"
- In reply to: Michael: "Server 2003 Administration Pack Security Flaw?"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 20 Aug 2004 09:01:00 -0500
Hi Michael,
I'm not able to reproduce this with a test domain user account on my Windows
XP SP2 system using the W2K3 version of dsa.msc.
My test user account does not have the New option which prevents me from
creating any objects and I don't have right to delegate permissions either.
See if the domain user account can create a new top-level OU in the domain.
If this account can create OUs anywhere in the domain as well as user
accounts the view the Member Of tab on the properties of the domain user
account and get a list of all groups that this account belongs to. Then go
view the Member Of tab on each of those groups and check the membership of
the groups they belong to, etc... Perhaps this user account is nested in
the Domain Admin, Enterprise Admin, Administrators, or the Account Operators
group. Also, make sure someone did not place the Domain Users group into
one of the Administrative groups.
If the group membership appears to be correct, try viewing the Security tab
of the OU or domain head where the user created an object and see if Write
Permissions have been delegated to any of the groups that this user account
belongs to.
If you have the Windows Server 2003 Resource Kit installed on the XP machine
you can run "ifmember /list > groups.txt" and view the groups.txt file to
see if the domain user account is a member of any groups with elevated
rights.
NOTE: This can be downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en
and installed on the XP workstation.
-- David Everett Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "Michael" <anonymous@discussions.microsoft.com> wrote in message news:965901c48639$0d79cb00$a401280a@phx.gbl... > I recently installed the Windows Server 2003 > Administration Pack on my XP SP2 machine and I came across > something interesting... > > To avoid causing unnecessary damage to Active Directory, I > created a regular user login for me to use on a daily > basis and a Domain Admin account to use when I need to > administer the AD. On my local machine, I added my > regular AD account to the (local) Administrators group so > that I can install software, etc. > > After installing the Windows Server 2003 Administration > Pack (again, with my regular domain account), I clicked on > the "Manage Active Directory" icon on the Start Menu and I > was able to not only see everything in AD, but I was also > able to make changes in the AD. (For example, I was able > to disable a user's account.) Thinking that for some > reason the MMC had cached my domain login, I rebooted my > machine and logged back in with my regular domain user > account and it still let me make changes in the AD. > > My coworker even went as far as taking himself out of the > local Administrators group on his machine and it still let > him get into the AD and disable my account. He then tried > running AD Management as his local Administrator account > and it said that he didn't have the proper permissions. > But, as a regular domain user he is able to make changes. > > Since we have other "technology-related" departments in > the building that have people that may know a thing or two > about AD, I'm concerned that they may be able to get in > and make changes. > > Has anyone else had this problem?
- Next message: Tom Bain: "Re: Password Policy"
- Previous message: Matt Williams: "Problem with adding BlockXPSP2 adm to a GPO"
- In reply to: Michael: "Server 2003 Administration Pack Security Flaw?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
