Re: Security question (lost OU delegated rights)

From: George (GeorgeN_at_hotmail.com)
Date: 02/14/05 

Date: Sun, 13 Feb 2005 19:14:54 -0500

Gentlemen, thanks both your input - really helps. Appreciated.

George

"Desmond Lee" <mcp@donotspamplease.mars> wrote in message
news:FD859775-1285-4A78-A000-E01D676FE1AF@microsoft.com...
> See
> http://support.microsoft.com/?id=817433
>
> and let us know if this helps. Thanks!
>
>
> "George" wrote:
>
>> Hi,
>> Recently a group of system support personnel is delegated the right to
>> manage
>> User and Computer accounts on AD. The delegated right is very similar or
>> close to that of the default Account Operator group except that the
>> delegation is at the OU level and not the domain level.
>> One day later , we found that something unusual happened on a global
>> group
>> that all these system support staff are a member of. The strange thing is
>> that whoever is a member of this group then their user properties page
>> will
>> have the "Allow inheritable permission from parent ..." check box
>> cleared.
>> In addition , the Account Operator as well as the domain admin group will
>> be
>> removed from their security tab.
>> Even when we manual add back these properties , it will happen again in
>> roughly 60 minutes interval.
>> We have checked that no GPO in place have this type of setting and
>> applied
>> to only this group. Auditing and eventlog log never showed any trace of
>> object access ( at least not / no user account identified).
>> We suspect that it could be someone running a script and make it happen
>> like
>> that. And this only happen to that group which we have delegated user and
>> computer account managment permission.
>> Now the question is , is there any way / tools I can check/ monitor to
>> find
>> out what is causing this ? Is this can of a security breach ?
>> Any help appreciated !
>>
>> George
>>
>

Relevant Pages

  • Re: Security question (lost OU delegated rights)
    ... George ... >> User and Computer accounts on AD. ... >> delegation is at the OU level and not the domain level. ... >> that whoever is a member of this group then their user properties page ...
    (microsoft.public.win2000.security)
  • RE: Security question (lost OU delegated rights)
    ... > User and Computer accounts on AD. ... > delegation is at the OU level and not the domain level. ... > that all these system support staff are a member of. ... > that whoever is a member of this group then their user properties page will ...
    (microsoft.public.windows.server.security)
  • RE: Security question (lost OU delegated rights)
    ... > User and Computer accounts on AD. ... > delegation is at the OU level and not the domain level. ... > that all these system support staff are a member of. ... > that whoever is a member of this group then their user properties page will ...
    (microsoft.public.win2000.security)
  • Re: Deligating control
    ... this is possible through the Delegation of Control Wizard. ... If you delegate the creation of computer accounts to a group (e.g. ... To reset user passwords you need the "Reset Password" extended right on the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation of permission to join domain
    ... delegation wizard, your template would look something like... ... >the computer accounts are to a group called desktop support. ... > Change Password ... > Create Computer Objects ...
    (microsoft.public.windows.server.general)