Re: Authenticated Users

From: Tomasz Onyszko <T.Onyszko_nospam_@xxxxxx>
Date: Thu, 12 Oct 2006 23:07:39 +0200

moyer wrote:

I am an IT Auditor.

We found the authenticated users group being a member of the Domain Admins.

It has "send to" and "special" access. Also there are some other admin apllication groups that it is assigned to with the same access.

I seems as if this is a issue, that this has been assigned while installations have taken placed.

Can any body shed any light on this, and also is this security risk?

Somebody in this company really liked the shortcuts ... belive me that authenticated users in Damain Admins group is security risk ... a big one.

--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
.

Follow-Ups:
- Re: Authenticated Users
  - From: Richard Mueller

Prev by Date: authoritative restore not working
Next by Date: Re: authoritative restore not working
Previous by thread: authoritative restore not working
Next by thread: Re: Authenticated Users
Index(es):
- Date
- Thread

Relevant Pages

Re: Security permissions bug or inheritant permissions??
... You can not lock AD down to the point that Domain Admins are limited. ... group policy isn't stored in OUs. ... > In a OU called "Test OU", we have set "Enterprise Admins" to have Full> control and "Authenticated Users" to have "Read" only permissions in the> security tab. ...
(microsoft.public.win2000.active_directory)
Re: Authenticated Users
... We found the authenticated users group being a member of the Domain ... apllication groups that it is assigned to with the same access. ... Can any body shed any light on this, and also is this security risk? ... authenticated users in Damain Admins group is security risk ... ...
(microsoft.public.windows.server.active_directory)
Re: Authenticated Users
... I would kick out all the admins, as EVERY user in the forest can do the ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... We found the authenticated users group being a member of the Domain ... Can any body shed any light on this, and also is this security risk? ...
(microsoft.public.windows.server.active_directory)
Re: Sysvol / Netlogon
... > I do see that Authenticated Users have full control to the sysvol share (I ... maybe I should train my admins to modify their scripts ... Any authenticated user can read NETLOGON and SYSVOL. ...
(microsoft.public.windows.server.active_directory)
Re: Schema Admin question
... I am thinking that the admins removed Authenticated Users ... admins" since they control the membership of the Schema Admins group. ...
(microsoft.public.windows.server.active_directory)