Default domain permissions

A

ade

Hi all - posted this issue in win2000.active_directory a few days ago,
wonder someone could help me?

The OS is windows2000, single domain in native mode.

When I log onto my machine (which has the admin tools installed) as a normal
user, I can modify/create/delete domain user accounts, and create new GPO's.

Things I have tried:

Checking everyone group and domain user group permissions on the domain and
each OU. Would appear that those groups have reset password and some write
permissions. They are not members of domain admins/admins/enterprise
admins.

I have searched high and low for what the default domain user permissions
should be but cannot locate a document with them on. Could someone post
them here please?

Any help much appreciated.
 
R

Roger Abell

I do not believe there is such a document, and if so, then I would
question if it is up-to-date.

You say a normal user has those abilities, but you have not mentioned
the history of the environment, or whether you have considered all
groups in which the user holds membership.
The abilities you mentioned are things often delegated, and it sounds
as if the Users group may have been delegated those abilities.
 
J

Jorge_de_Almeida_Pinto

Hi all - posted this issue in win2000.active_directory a few
days ago,
wonder someone could help me?

The OS is windows2000, single domain in native mode.

When I log onto my machine (which has the admin tools
installed) as a normal
user, I can modify/create/delete domain user accounts, and
create new GPO's.

Things I have tried:

Checking everyone group and domain user group permissions on
the domain and
each OU. Would appear that those groups have reset password
and some write
permissions. They are not members of domain
admins/admins/enterprise
admins.

I have searched high and low for what the default domain user
permissions
should be but cannot locate a document with them on. Could
someone post
them here please?

Any help much appreciated.
Click to expand...

to see what the default explicit security is of each object in AD when
created do the following:
BE VERY CAREFULLWITH WHAT YOU DO!
* open a command prompt
* run schmmgmt.msc
* Click on the classes node
* Right click on the class of the object you want to check the default
permissions for
* Click on the Default Security TAB (may be called something else
depending on OS)
* Et voila the default permissions for the class an object belongs to
 
A

ade

Chaps - thanks for the replies.

I'll check them out at work Monday at post my findings.

BTW - the user account in question is a member of domain users ONLY.
 
A

ade

Found it using the hyena tool somone else has mentioned in a post.

The everyone group was a member of administrators!

Removed it and will test later
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Should this work? - Folder permissions 1
change permissions 1
Domain Rights 1
DOMAIN SECURITY GROUP POLICY 3
Permissions 1
NTFS Permissions - Sub-Folders 4
Permissions not applied to every user 4
Permissions problem 1

Top