Schema Privileges

G

Guest

Is there a "backdoor" or way for an application installation to get elevated privileges to update the AD schema?

Eg. the Schema Admins group is empty and the Schema partition is not set to be writable, however an end-user attempts to install an application on their workstation which tries to update the schema as part of the install. To be able to isntall the app the application is already in an elevated privilege state. Is there a way to ensure that there is no chance a rogue app installed by an end-user can update the schema?
 
M

Mike Aubert

By default only Windows Installer packages assigned/published through Group
Policy (or manually by the admin using msiexec) install using elevated
privileges - not packages the user manually starts him/herself. However, you
can use Group Policy or manually change this in the registry to allow any
package to install using elevated privileges.

Even if you did allow any Windows Installer package to use elevated
privileges, the privileges used during the installation are those of the
local system (i.e. the computer where the install is being performed). A
workstation's domain account has no permission to edit the schema by
default.

So, to answer your first question: no.

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.


SJM said:
Is there a "backdoor" or way for an application installation to get
Click to expand...
elevated privileges to update the AD schema?
Eg. the Schema Admins group is empty and the Schema partition is not set
Click to expand...
to be writable, however an end-user attempts to install an application on
their workstation which tries to update the schema as part of the install.
To be able to isntall the app the application is already in an elevated
privilege state. Is there a way to ensure that there is no chance a rogue
app installed by an end-user can update the schema?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD Schema Privilege 1
AD Schema Security 2
adprep /forestprep There is a schema conflict with Exchange 2000 1
Insufficent rights updating schema 1
Could not find schema attribute on this DC 1
ADPREP /FORESTPREP (again) 3
ADPREP : Schema update failed in recalculating validation cache 6
Error 0x57 importing AD schema export into ADAM 2

Top