Re: "Send as" and SBS Domain Power User
- From: "Jan" <jan@.n.o.com>
- Date: Tue, 20 Dec 2005 21:01:09 +1100
Hi,
workaround for the issue is easy to implement once you understand what is
happening. Disturbing part of the issue is that members of groups which
should not have send as rights have them. As I said before, not even
Enterprise admins have send as privilege.
I also expect many sbs admins will use Power Users template when creating
users and unknowingly give user elevated rights.
In my books this is a security issue and someone from development team
should have closer look at.
Regards,
--
Jan Wakulicz
www.micropol.com.au
""Nathan Liu [MSFT]"" <v-natliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:8OxyrViAGHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Jan,
>
> This is a supplemental email.
>
> Based on my testing, I have reproduced this issue.
>
> Reproduce steps:
>
> A. Use "Add User Wizard" and "User Template" to create a normal Domain
> User
> B. Use "Add User Wizard" and "Power User Template" to create a Domain
> Power User
> C. Open ADU&C, and click View -> Advanced Features, we can find the
> "Account Operators" has "Full Control" permission for the normal Domain
> user
> D. We can "Send as" the normal domain user by using the domain power
> user
> account.
>
> Note: "Domain Power Users" is a member of "Account Operators", "Mail
> Operators" and other security groups.
>
> Based on above information, "Account Operators" Built-in Security Group
> has
> "Send As" permission for "Domain Users" by default. Because the power
> users
> belong to the Account Operator security group which has been applied the
> ¡°Send As¡± Permission.
>
>
> To workaround this issue, please remove ¡°Send As¡± permission for power
> user.
>
> Method 1:
>
> You can remove the power user from the Account Operator group or deny the
> ¡°Send As¡± permission for Account Operator group. However we do not
> recommend you to do that, it will impact the Account operator group
> permission and it will also impact other permission of power user that
> inherited from the Account operator group.
>
> Method 2:
>
> You can deny the ¡°Send As¡± permission for one of power user or for the
> whole power user group.
> To deny user "Send as" permissions for power user:
> On an Exchange computer, click Start, point to Programs, point to
> Microsoft
> Exchange, and then click Active Directory Users and Computers.
> On the View menu, click to select Advanced Features.
> Expand Users, right-click the User object where you want to deny the
> ¡°Send
> As¡± permission, and then click Properties.
> In the Select User, Computer, or Group dialog box, click the user account
> or the group that you want to deny "Send as" permissions to, and then
> click
> OK.
>
> More info:
>
> 327000 HOW TO: Grant "Send As" and "Send on Behalf" Permissions in
> Exchange
> http://support.microsoft.com/?id=327000
>
> I appreciate your time and cooperation. Please do not hesitate to let me
> know if you have any further concerns, I am looking forward to hearing
> from
> you
>
> Have a nice weekend!
>
> Best regards,
>
> Nathan Liu (MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> --------------------
>>X-Tomcat-ID: 190502595
>>References: <#5AjiMR$FHA.740@xxxxxxxxxxxxxxxxxxxx>
> <2NUcCbu$FHA.552@xxxxxxxxxxxxxxxxxxxxx>
> <#dtZ6Ov$FHA.3872@xxxxxxxxxxxxxxxxxxxx>
> <WutJODw$FHA.552@xxxxxxxxxxxxxxxxxxxxx>
> <OuRVyix$FHA.3852@xxxxxxxxxxxxxxxxxxxx>
> <sXikdi7$FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
> <4NszCCKAGHA.3764@xxxxxxxxxxxxxxxxxxxxx>
>>MIME-Version: 1.0
>>Content-Type: text/plain
>>Content-Transfer-Encoding: 7bit
>>From: v-natliu@xxxxxxxxxxxxxxxxxxxx ("Nathan Liu [MSFT]")
>>Organization: Microsoft
>>Date: Thu, 15 Dec 2005 09:50:43 GMT
>>Subject: Re: "Send as" and SBS Domain Power User
>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>Message-ID: <94h5E0VAGHA.1236@xxxxxxxxxxxxxxxxxxxxx>
>>Newsgroups: microsoft.public.windows.server.sbs
>>Lines: 160
>>Path: TK2MSFTNGXA02.phx.gbl
>>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:230366
>>NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
>>
>>Hi Jan,
>>
>>Many thanks for your waiting. I appreciate your time and patience.
>>
>>I. I have checked these dsacls log files, and compare them with my
> testing
>>machince, I didn't find any problem with them. And I have also tried to
>>reproduce this specific issue, but I cannot reproduce it on my testing
>>machine.
>>
>>II. Considering the current condition, it is aneffective and feasible way
>>to check the "Deny" "Send As" permission check box for "Domain Power
> Users"
>>via ESM. Meanwhile, we will continue to research and test this issue, then
>>update the result to you. Thanks for your understanding.
>>
>>To deny "Send As" permission for "Domain Power Users" via ESM, open the
>>Exchange System Manager on the SBS Server, expand Servers -> ServerName ->
>>First Storage Group, right-click "Mailbox Store" and select Properties,
>>click Security tab, click Add and input "Domain Power Users" then click
> OK,
>>CHECK the "Deny" check box for "Send As" entry.
>>
>>III. Based on my research, we have a known issue about "Send As" and
>>"Domain Power users" in SBS 2003 Server, however, the current issue is a
>>reverse issue. You may also check it:
>>Problem Description
>>
>>The 'Send As' permission granted for user A to 'send as' user B keeps
>>disappearing.
>>
>>Explanation and Resolution
>>
>>I. If it's a SBS 2003
>>
>>The issue should be caused that the users are members of the 'Domain Power
>>User' group, possibly that he has 'Power Users' template applied to the
>>users. The 'Domain Power User' is a sub-group of 'SBS Remote Operators',
>>and 'SBS Remote Operators' has the 'Deny Logon Locally' policy setting
> from
>>'Default Domain Controller' GPO. That will cause the ACL permission
> setting
>>to be reverted.
>>
>>I would suggest any of the following:
>>
>>1) Apply the 'Users' template to the existing power users using
> the
>>Change User Permissions Wizard.
>>
>>2) Remove 'SBS Remote Operators' from the 'Deny Logon Locally
>>policy' settings, re-apply the 'Power Users' templates to the user
> accounts.
>>
>>The same cause will raise some other issues, for example '330876 Power
>>Users are Unable to FTP on Microsoft Windows Small Business Server'.
>>
>>II. A normal Exchange server
>>
>>Basically, this issue is most likely caused that the problematic user is
>>part of the groups listed below.
>>
>>Looking at Q319966 where depending on whether that group or the users are
>>members of AdminSDHolder, those permissions can be reset every hour:
> 319966
>>"You do not have sufficient permissions in the Domain" error message -
>>http://support.microsoft.com/?id=319966.
>>
>>More Information can be found in the following KBs:
>>
>>¡¤ 817433 Delegated permissions are not available and inheritance is
>>automatically - http://support.microsoft.com/?id=817433\
>>
>>¡¤ 318180 AdminSDHolder Thread Affects Transitive Members of
>>Distribution Groups - http://support.microsoft.com/?id=318180
>>
>>Which basically states that if the user is a member of a Distribution
> group
>>that is a member for any of the following groups the permissions is reset
>>every hour:
>>
>>- Enterprise Admins
>>
>>- Schema Admins
>>
>>- Domain Admins
>>
>>- Administrators
>>
>>- Domain Controllers
>>
>>- Cert Publishers
>>
>>- Backup Operators
>>
>>- Replicator Server Operators
>>
>>- Account Operators
>>
>>- Print Operators
>>
>>IV. Did you install the SBS 2003 SP1 and Exchange 2003 SP2? If not,
> please
>>kindly refer to the following information to install them, and then check
>>if the issue can be reproduced.
>>
>>Installation Instructions for Service Pack 1 for Windows Small Business
>>Server 2003, Standard Edition
>>http://download.microsoft.com/download/2/e/9/2e902d14-da2e-43ba-8bd6-6d258f
> 5
>>356b6/SP1Setup_std.htm
>>
>>Installation Instructions for Service Pack 1 for Windows Small Business
>>Server 2003, Premium Technologies
>>http://download.microsoft.com/download/2/e/9/2e902d14-da2e-43ba-8bd6-6d258f
> 5
>>356b6/SP1Setup_prem.htm
>>
>>Microsoft Windows Small Business Server 2003 Service Pack 1 (SP1)
>>http://www.microsoft.com/downloads/details.aspx?FamilyId=B6F8A4C0-B707-4161
> -
>>ADEB-44F1B756119F&displaylang=en
>>
>>Exchange Server 2003 Service Pack 2
>>http://www.microsoft.com/downloads/details.aspx?FamilyId=535BEF85-3096-45F8
> -
>>AA43-60F1F58B3C40&displaylang=en
>>
>>Microsoft Exchange Server 2003 Service Pack 2 Release Notes
>>http://download.microsoft.com/download/f/b/5/fb5c54af-fe5c-48e9-be97-f9e820
> 7
>>325ab/Ex_2003_SP2_RelNotes.htm
>>
>>V. Additionally, inorder to isolate this specific issue, let's perform
> the
>>following testing to check the result:
>>
>>1) Use "Add User Wizard" to create a new user, and apply "User
> Template",
>>then add the user account into "Account Operators" group, then check if
> the
>>issue can be reproduced.
>>
>>I appreciate your time and cooperation. Please do not hesitate to let me
>>know if you have any further concerns, I am looking forward to hearing
> from
>>you.
>>
>>Have a nice day!
>>
>>Best regards,
>>
>>Nathan Liu (MSFT)
>>Microsoft CSS Online Newsgroup Support
>>Get Secure! - www.microsoft.com/security
>>======================================================
>>This newsgroup only focuses on SBS technical issues. If you have issues
>>regarding other Microsoft products, you'd better post in the corresponding
>>newsgroups so that they can be resolved in an efficient and timely manner.
>>You can locate the newsgroup here:
>>http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>>When opening a new thread via the web interface, we recommend you check
> the
>>"Notify me of replies" box to receive e-mail notifications when there are
>>any updates in your thread. When responding to posts via your newsreader,
>>please "Reply to Group" so that others may learn and benefit from your
>>issue.
>>
>>Microsoft engineers can only focus on one issue per thread. Although we
>>provide other information for your reference, we recommend you post
>>different incidents in different threads to keep the thread clean. In
> doing
>>so, it will ensure your issues are resolved in a timely manner.
>>
>>For urgent issues, you may want to contact Microsoft CSS directly. Please
>>check http://support.microsoft.com for regional support phone numbers.
>>
>>Any input or comments in this thread are highly appreciated.
>>======================================================
>>This posting is provided "AS IS" with no warranties, and confers no
>>rights.
>>
>>
>
.
- Follow-Ups:
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- References:
- "Send as" and SBS Domain Power User
- From: Jan
- RE: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: Jan
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: Jan
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- "Send as" and SBS Domain Power User
- Prev by Date: RE: SharePoint Calendar work on RPC over https?
- Next by Date: RE: Restrictions using GPOs
- Previous by thread: Re: "Send as" and SBS Domain Power User
- Next by thread: Re: "Send as" and SBS Domain Power User
- Index(es):
Relevant Pages
|
