Re: Strange problem in Active Directory

check the members of the Domain Admins and the administrators group in AD and remove everyone that should not be there

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
<kommers@xxxxxxxxxxx> wrote in message news:fe8ca29b-c0bf-4ae2-b576-042ccd675bcc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I recently joined joined a new company and while exploring their
Active Directory forest, I came accross strange situation:

If ordinary user opens Active Directory Users and Computers, he can
add and erase users and groups. Moreover, he can add himself to Domain
Admins group as well.

So, I created a test user and sure enough, this test user could use
ADUC to do whatever he wants there. I thoroughly checked GPO's that
applied to the user, and found nothing that would give him such
rights. I checked group memebership for this user and again, he was
not a member of any group with elevated rights. I checked security
rights to user objects via advanced features of ADUC and my test user
doesn't have anything but "read" to them, yet he can kill pretty much
any other account.

While I am thinking that AD itself may be corrupt. I would appreciate
any suggestion, especially if anyone knows of any tool that I can use
to check "effective rights" of any user to Active Directory objects. I
thought it could be a delegation thing, but then I would be able to
see it via "security" tab for any user in ADUC, right?

Thank you, your help is much appreciated


Yuri Levenfeld
System Engineer II

.

Relevant Pages

  • RE: RWW & OWA login issues
    ... >They are members of Domain Users, ... >Thanks - Joe ... >confers no rights. ...
    (microsoft.public.windows.server.sbs)
  • Re: Separating domain admins and enterprise admins
    ... it is IMPOSSIBLE to prevent members of administrators, domain admins and enterprise admins doing things you do not want them to do! ... * This posting is provided "AS IS" with no warranties and confers no rights! ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... That's how ACLs work, or at ... Microsoft's own guidelines for parsing ACLs states that DENY ACLs ... I understand that domain admins have the delete and delete subtree ... I have a folder where Domain Users have Full control rights. ...
    (microsoft.public.win2000.active_directory)
  • Re: Miranda Rights For Terrorist?
    ... reading them their rights - Mirandizing these foreign fighters," ... I don't think that war detainees have ever been ... Members of the armed forces of a Party to the conflict, ...
    (rec.sport.football.college)
  • How to design this site on WSS?
    ... In brief I have to setup a WSS Site with Members, Clients and Partners subwebs. ... All these subwebs has complex rights assignment like some members can have rights on all the subwebs, clients/partners has no rights on other subwebs and so on, some members need to view/edit documents in clients/partners subwebs. ...
    (microsoft.public.sharepoint.windowsservices)
Loading