Re: AD Schema Security

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 02/22/04

• Next message: OMamed: "Automatic logoff logout of user after inactivity"
• Previous message: Roger Abell [MVP]: "Re: Customizing start-up for other users/groups"
• In reply to: SKM: "AD Schema Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 22 Feb 2004 11:49:34 -0700

You are already safe-guarded against this from happening.
If you wish to further make certain, then you could restrict write
permissions on the administrative groups. Even then, just as
a rogue app would need to change the Schema Admins group
membership it would after changes only have to acquire an
account context able to change Schema Admins membership.
Whether you make any changes to the default security settings
or not, it would be a determined crack app, not just an accident,
that would be needed.

"SKM" <anonymous@discussions.microsoft.com> wrote in message
news:6DD25A75-A7E1-46D4-8BAF-D18398BFA114@microsoft.com...
> Hi all
>
> Is there a "backdoor" or way for an application installation to
> programmatically, get elevated privileges to update the AD schema?
>
> Eg. the Schema Admins group is empty and the Schema partition is not set
to
> be writable, however an end-user attempts to install an application on
their
> workstation which tries to update the schema as part of the install. To be
> able to isntall the app the application is already in an elevated
privilege
> state. Is there a way to ensure that there is no chance a rogue app
> installed by an end-user can update the schema?
> I would like to ensure that in this situation, the schema update by the
> users application install should FAIL
>
> Thanks
>
>
>
>
>
>
>
>

• Next message: OMamed: "Automatic logoff logout of user after inactivity"
• Previous message: Roger Abell [MVP]: "Re: Customizing start-up for other users/groups"
• In reply to: SKM: "AD Schema Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages AD Schema Privilege ... get elevated privileges to update the AD schema? ... Eg. the Schema Admins group is empty and the Schema partition is not set to ... workstation which tries to update the schema as part of the install. ... Is there a way to ensure that there is no chance a rogue app ... (microsoft.public.win2000.active_directory) AD Schema Security ... get elevated privileges to update the AD schema? ... Eg. the Schema Admins group is empty and the Schema partition is not set to ... workstation which tries to update the schema as part of the install. ... Is there a way to ensure that there is no chance a rogue app ... (microsoft.public.win2000.security) Re: AD Schema Security ... If you are not in the schema admin group, there is no way to get around ... do it even with a program install. ... Is there a way to ensure that there is no chance a rogue app ... (microsoft.public.win2000.security) Re: ForestPrep ... > get a message that either I do not have enough permission ... Administrator must not be a member of the schema admins group. ... possible that the server holding the schema FSMO role is down or ... (microsoft.public.exchange.setup) Re: InetOrgPersonPrevent Insufficient Rights ... Is the account you are using in the Schema Admins group? ... "Ken Norton" wrote in message ... > When I try to modify the schema as domain admin, ... (microsoft.public.windows.server.active_directory)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint