Re: Strange problem in Active Directory

I wish it were that easy. No they are not.


On Apr 8, 8:39 am, "Paul Bergson [MVP-DS]"
<pbergson@xxxxxxxxxxxxxxxxx> wrote:
Check the Everyone and Domain Users groups to see if they are members of
Domain Admins or Enterprise Admins security groups.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights..

<komm...@xxxxxxxxxxx> wrote in message

news:fe8ca29b-c0bf-4ae2-b576-042ccd675bcc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



I recently joined joined a new company and while exploring their
Active Directory forest, I came accross strange situation:

If ordinary user opens Active Directory Users and Computers, he can
add and erase users and groups. Moreover, he can add himself to Domain
Admins group as well.

So, I created a test user and sure enough, this test user could use
ADUC to do whatever he wants there. I thoroughly checked GPO's that
applied to the user, and found nothing that would give him such
rights. I checked group memebership for this user and again, he was
not a member of any group with elevated rights. I checked security
rights to user objects via advanced features of ADUC and my test user
doesn't have anything but "read" to them, yet he can kill pretty much
any other account.

While I am thinking that AD itself may be corrupt. I would appreciate
any suggestion, especially if anyone knows of any tool that I can use
to check "effective rights" of any user to Active Directory objects. I
thought it could be a delegation thing, but then I would be able to
see it via "security" tab for any user in ADUC, right?

Thank you, your help is much appreciated

YuriLevenfeld
System Engineer II- Hide quoted text -

- Show quoted text -

.

Relevant Pages

  • Re: Strange problem in Active Directory
    ... Check the Everyone and Domain Users groups to see if they are members of ... Domain Admins or Enterprise Admins security groups. ... This posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegate certain rights to a single Domain Controller
    ... Please note that this hack does not eliminate all possible security risks, ... > This posting is provided "as is" with no warranties and confers no rights ... >> If you think your domain admins can only modify stuff in their own ... >>> cannot modify DCs across domains. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security permissions bug or inheritant permissions??
    ... We had four domain admins for the 8 domains in our forest. ... four guys who were Enterprise Admins. ... management and security folks don't fool themselves with a perception of false ... that doesn't mean that everyone should be domain> "gods" - they should heirarchal structure that enforces layered security> levels - even among domain admins. ...
    (microsoft.public.win2000.active_directory)
  • Re: Domain admin rights across domains using 1 account
    ... -As I said before is local administrators and not Domain Admins. ... -If I recall correctlt, local Admins are given create right in GPO container, but not change or delete existing ones. ... To change that you can create a second security group and delegate the proper rights to that group, then nest both security groups or make the users member of both security groups. ... Of course you can do that only with one group, but delegating full admin rights to a new security group may not be the best answer, so, what you're doing with this is taking the advantage of the local administrators security group rights, and adding additional rights that you might need to a different group, then nesting both you should be able to acomplish what you want. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Settle a Administrators dispute
    ... Boundaries, only forests are security Boundaries and that domains should not ... point because both admins and domain admins ... someone took some rights away from the administrator account, ...
    (microsoft.public.windows.server.active_directory)
Loading