Security question

From: George (GeorgeN_at_hotmail.com)
Date: 02/13/05 

Date: Sat, 12 Feb 2005 22:12:04 -0500

Hi,
Recently a group of system support personnel is delegated the right to
manage
User and Computer accounts on AD. The delegated right is very similar or
close to that of the default Account Operator group except that the
delegation is at the OU level and not the domain level.
One day later , we found that something unusual happened on a global group
that all these system support staff are a member of. The strange thing is
that whoever is a member of this group then their user properties page will
have the "Allow inheritable permission from parent ..." check box cleared.
In addition , the Account Operator as well as the domain admin group will be
removed from their security tab.
Even when we manual add back these properties , it will happen again in
roughly 60 minutes interval.
We have checked that no GPO in place have this type of setting and applied
to only this group. Auditing and eventlog log never showed any trace of
object access ( at least not / no user account identified).
We suspect that it could be someone running a script and make it happen like
that. And this only happen to that group which we have delegated user and
computer account managment permission.
Now the question is , is there any way / tools I can check/ monitor to find
out what is causing this ? Is this can of a security breach ?
Any help appreciated !

George

Relevant Pages

  • Security question
    ... Recently a group of system support personnel is delegated the right to ... User and Computer accounts on AD. ... delegation is at the OU level and not the domain level. ... the Account Operator as well as the domain admin group will be ...
    (microsoft.public.windows.server.security)
  • Re: ASP using ADSI
    ... Kerberos auth (which you need for delegation) requires users in AD. ... I've just done all the ASP ... account in every bind operation. ... My environment is an NT4 domain that is being migrated to W2K3 AD domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: System.UnauthorizedAccessException
    ... Implement Kerberos Delegation for Windows 2000 ... Kerberos delegation allows you to flow an authenticated identity ... The server process account (the user account under which the server ... Confirm that the Server Process Account is Trusted for Delegation ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: System.UnauthorizedAccessException
    ... Implement Kerberos Delegation for Windows 2000 ... Kerberos delegation allows you to flow an authenticated identity ... The server process account (the user account under which the server ... Confirm that the Server Process Account is Trusted for Delegation ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Questions on security
    ... Recently a group of level 2 system support is dekegated the right to manage ... User and Computer accounts on AD. ... delegation is at the OU level and not the domain level. ... the Account Operator as well as the domain admin group will be ...
    (microsoft.public.windows.server.security)
Quantcast