Deny account operators from deleting users

[lordchaos]

Hi all,
I have a problem regarding denying account operators deleting users in a
windows 2003 active directory domain. I thought it would be quite straight
forward but it actually wasn't. I added and ACE to one OU by setting
'Delete', 'Delete Sub-tree' and 'Delete All Child Objects' (which will set
all other granular delete flags) set to deny for members of account
operators group and apply it on this object and all child objects. I assumed
that, these setting (deny ACEs) will be reduced from rights any member of
account operators group will be granted by group membership but account
operators can still delete users! As I investigate more I find out that
effective permission on the OU is correct, account operators can not delete
anything. But effective permission on users objects directly beneath that OU
shows that account operators have full permission and deny ACE was
overridden somehow. by the way audit log showed that the account operator
has deleted the user successfully.
does any one know what is it all about??


Thanks in advance

 

[Joe Richards [MVP]]

Yep. What it is all about is why you shouldn't use account ops.

Account ops is a legacy group from NT that had the ability to muck with all
computer, group, and user accounts. As such the default security descriptors on
those objects in the schema have permissions granted to account operators.

This means when you instantiate any of those objects, they will have explicit
full control permissions granted to account ops.

As you are probably aware, the permissions model is one of deny overrides grant,
explicit overrides inherited. That means your inherited deny is being overridden
by the explicit grant.

The proper way to do this is to build your own groups that you delegate
permissions to. Then you grant what you want and don't have to deny anything.
Denies tend to be messy and difficult to figure out later anyway.


joe