Denying Changes to Group Membership

C

carlrimmel

Got an interesting problem. We are running Windows 2003 SP1 active
directory. I am trying to add a specific "Deny" permission to the
Built-In Administrators group that would deny the ability for a member
of the group to be able to actually change the membership of the
Administrator group. (I know, I know... why is it a member of this
group if you don't want it to have the permissions - well, it is a
service account utilized by a lousy piece of software that needs to be
included in this group)

Regardless, here is what I have found. If I add a Deny to the
Administrators group for "Write Members" and "Apply Onto" "This Object
Only", then it works fine. But, since the AdminSDHolder reverts it
back every hour, I need to make the change on the AdminSDHolder. So, I
try to add a Deny on the AdminSDHolder for "Write Members" and "Apply
onto" "Group Objects" (because "This Object Only" doesn't list "Write
Members" on the AdminSDHolder object) then it doesn't work. Applying
it directly to the Administrators group using "Group Objects" doesn't
work either.

Is the Built-In Administrator group referred to as something other than
a "Group Object" within AD? This is the only reason I can see that
this would not work properly.

Any help would be appreciated.

Thanks
Carl
 
H

Herb Martin

Got an interesting problem. We are running Windows 2003 SP1 active
directory. I am trying to add a specific "Deny" permission to the
Built-In Administrators group that would deny the ability for a member
of the group to be able to actually change the membership of the
Administrator group. (I know, I know... why is it a member of this
group if you don't want it to have the permissions - well, it is a
service account utilized by a lousy piece of software that needs to be
included in this group)
Click to expand...

Perhaps your best bet is to just make a "Restricted Group"
which will FIX the group membership to the list you
provide.

While technically the group will be changeable, any change
will be restored at each GPO update which is every 5 (or
15 minutes) for DCs

You can of course go in an put "DENY Modify" permissions
on the group just like you would with a file (use either the
Everyone group or admins.

BTW, I don't care how special that software is, it is a
complete piece of junk if it must be a domain admin MUCH
LESS if it makes unauthorized changes to your AD.

Find a replacement and junk that piece of $%Q$% Junk.
 
C

chriss3 [MVP]

I'm 100% agree with Herb Martin on this, there is nothing more to add, then
ensure you have auditing turned on to monitoring a change like that.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services


No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Resources

Herb Martin said:
Got an interesting problem. We are running Windows 2003 SP1 active
directory. I am trying to add a specific "Deny" permission to the
Built-In Administrators group that would deny the ability for a member
of the group to be able to actually change the membership of the
Administrator group. (I know, I know... why is it a member of this
group if you don't want it to have the permissions - well, it is a
service account utilized by a lousy piece of software that needs to be
included in this group)
Click to expand...

Perhaps your best bet is to just make a "Restricted Group"
which will FIX the group membership to the list you
provide.

While technically the group will be changeable, any change
will be restored at each GPO update which is every 5 (or
15 minutes) for DCs

You can of course go in an put "DENY Modify" permissions
on the group just like you would with a file (use either the
Everyone group or admins.

BTW, I don't care how special that software is, it is a
complete piece of junk if it must be a domain admin MUCH
LESS if it makes unauthorized changes to your AD.

Find a replacement and junk that piece of $%Q$% Junk.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Regardless, here is what I have found. If I add a Deny to the
Administrators group for "Write Members" and "Apply Onto" "This Object
Only", then it works fine. But, since the AdminSDHolder reverts it
back every hour, I need to make the change on the AdminSDHolder. So, I
try to add a Deny on the AdminSDHolder for "Write Members" and "Apply
onto" "Group Objects" (because "This Object Only" doesn't list "Write
Members" on the AdminSDHolder object) then it doesn't work. Applying
it directly to the Administrators group using "Group Objects" doesn't
work either.

Is the Built-In Administrator group referred to as something other than
a "Group Object" within AD? This is the only reason I can see that
this would not work properly.

Any help would be appreciated.

Thanks
Carl
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to allow a group to reset the passwords of protected group members 1
Hide group membership? 4
Hiding Membership of Global Security Groups 1
Users group membership not being read 2
Deny account operators from deleting users 1
Bulk group membership removal. 6
URGENT HELP PLEASE! Problems with AD Permissions 2
retrieve group user membership when offline 6

Top