Re: AdminPak installed by Domain User - can view all tabs and groups.

A regular domain user shouldn't be able to install anything. If they did,
they probably have local administrative permissions and rights.

Once installed, if a user peruses the directory using the ADUC tool, then
they will have access to all the tabs. They will have read access to most
of the attributes too. They won't have write access to anything really.


Isn't this a bit of a risk? For someone in the network that wants a
little
bit more info that knows a little something about Admin Pak?

The permissions to read the data isn't a risk. That is the purpose of a
directory service - to allow people to view info.

Is allowing non administrators use of ADUC a risk? Maybe. Matbe not. If
they don't have the permissions to do anything they can't really do much but
it is overkill and can also get them thinking about how they might want to
do something. It also gives them plenty of info. should they wish to form
an attack. You shouldn't be giving anyone access to that, or any other,
tool if they don't need it. A web based interface that only shows a subset
of attributes is a good start, e.g. a white pages. Or, a role based
administrative tool such as ARS from Quest, that works as a proxy -it has
permissions over AD and handles delegation via it's own authorisation system
which is based on roles.

The cool thing about a tool such as a web page, or Outlook's address list,
is it only returns values that you have permissions to see and doesn't show
you the underlying structure. You only get relevant info. in an easy to
read and use way.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net



.

Relevant Pages

  • Missing Configuration Tool in 2.0 Redist
    ... The .NET Configuration tool was ... is to install the complete SDK. ... ..NET 1.1 had very granular control of permissions. ... Power users and administrators. ...
    (microsoft.public.dotnet.security)
  • Re: Registry permissions defaults
    ... Home does not recognize user groups other than Administrators and Users, ... >I am trying to install Norton AV Pro on my father's Dell Inspiron 8200 w/ XP ... > error which is essentially caused by the Symantec registry keys not having ... > permissions for a number of registry keys, comparing both Inspiron's, as ...
    (microsoft.public.windowsxp.security_admin)
  • Registry permissions defaults
    ... I am trying to install Norton AV Pro on my father's Dell Inspiron 8200 w/ XP ... error which is essentially caused by the Symantec registry keys not having ... permissions for a number of registry keys, comparing both Inspiron's, as ... Administrators and SYSTEM. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Shared permissions vs. security
    ... Did you have to make the users power users or administrators only after you ... write/modify permissions to a folder if that is what they need to do their ... -- Verify that membership in the administrators group on all computers is ... updates at Windows Updates. ...
    (microsoft.public.win2000.security)
  • RE: Access Denied when running RSoP
    ... The launch and activation security descriptor for the COM Server application ... It contains Access Control Entries with permissions that are ... which is a part of the McAfee Common ... > Administrators - Full Control - This namespace and subnamespaces ...
    (microsoft.public.windows.server.sbs)