Re: Security question
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/13/05
- Previous message: George: "Security question"
- In reply to: George: "Security question"
- Next in thread: Desmond Lee: "RE: Security question (lost OU delegated rights)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 12 Feb 2005 21:49:16 -0600
When you delegate permissions to manage user accounts, members of privileged
groups such as domain admins, server operators, and account operators will
not be included. In other words a regular user can never be able to manage
the account of a domain admin. That is why the inheritance box is cleared
and if you enable it the operating system checks for this and removes it
every sixty minutes as you describe. Also it seems that when you delegate
permission to mange user accounts, peer accounts will be excluded so that
the users in the group that were delegate the permission can not manage each
others accounts. There are recent posts in this newsgroup [or the
server.security newsgroup] about this subject where another poster did some
extensive testing on this very subject where he discovered this "peer user"
effect. So what you are experiencing is normal and only admins can manage
admin accounts and will probably have to manage the accounts of the group
you delegate permissions to manage other user accounts unless you work
around the peer effect with other user delegation to their accounts such as
adding their accounts to an OU and then delegating that permission for that
OU to a user not in that group.. --- Steve
"George" <GeorgeN@hotmail.com> wrote in message
news:eJecWrXEFHA.3492@TK2MSFTNGP12.phx.gbl...
> Hi,
> Recently a group of system support personnel is delegated the right to
> manage
> User and Computer accounts on AD. The delegated right is very similar or
> close to that of the default Account Operator group except that the
> delegation is at the OU level and not the domain level.
> One day later , we found that something unusual happened on a global group
> that all these system support staff are a member of. The strange thing is
> that whoever is a member of this group then their user properties page
> will
> have the "Allow inheritable permission from parent ..." check box cleared.
> In addition , the Account Operator as well as the domain admin group will
> be
> removed from their security tab.
> Even when we manual add back these properties , it will happen again in
> roughly 60 minutes interval.
> We have checked that no GPO in place have this type of setting and applied
> to only this group. Auditing and eventlog log never showed any trace of
> object access ( at least not / no user account identified).
> We suspect that it could be someone running a script and make it happen
> like
> that. And this only happen to that group which we have delegated user and
> computer account managment permission.
> Now the question is , is there any way / tools I can check/ monitor to
> find
> out what is causing this ? Is this can of a security breach ?
> Any help appreciated !
>
> George
>
>
>
>
- Previous message: George: "Security question"
- In reply to: George: "Security question"
- Next in thread: Desmond Lee: "RE: Security question (lost OU delegated rights)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
