Security question

G

George

Hi,
Recently a group of system support personnel is delegated the right to
manage
User and Computer accounts on AD. The delegated right is very similar or
close to that of the default Account Operator group except that the
delegation is at the OU level and not the domain level.
One day later , we found that something unusual happened on a global group
that all these system support staff are a member of. The strange thing is
that whoever is a member of this group then their user properties page will
have the "Allow inheritable permission from parent ..." check box cleared.
In addition , the Account Operator as well as the domain admin group will be
removed from their security tab.
Even when we manual add back these properties , it will happen again in
roughly 60 minutes interval.
We have checked that no GPO in place have this type of setting and applied
to only this group. Auditing and eventlog log never showed any trace of
object access ( at least not / no user account identified).
We suspect that it could be someone running a script and make it happen like
that. And this only happen to that group which we have delegated user and
computer account managment permission.
Now the question is , is there any way / tools I can check/ monitor to find
out what is causing this ? Is this can of a security breach ?
Any help appreciated !

George
 
S

Steven L Umbach

When you delegate permissions to manage user accounts, members of privileged
groups such as domain admins, server operators, and account operators will
not be included. In other words a regular user can never be able to manage
the account of a domain admin. That is why the inheritance box is cleared
and if you enable it the operating system checks for this and removes it
every sixty minutes as you describe. Also it seems that when you delegate
permission to mange user accounts, peer accounts will be excluded so that
the users in the group that were delegate the permission can not manage each
others accounts. There are recent posts in this newsgroup [or the
server.security newsgroup] about this subject where another poster did some
extensive testing on this very subject where he discovered this "peer user"
effect. So what you are experiencing is normal and only admins can manage
admin accounts and will probably have to manage the accounts of the group
you delegate permissions to manage other user accounts unless you work
around the peer effect with other user delegation to their accounts such as
adding their accounts to an OU and then delegating that permission for that
OU to a user not in that group.. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Questions on security 1
Audting Changes to Active Directory Security groups. 1
Auditing for account or group creation priviledge 0
share Permissions problem 1
DCOM error 10017 0
AD built in Administrator account options 1
Windows 2000 folder, files security setting did not propagate correctly? 3
Non Delivery Report/Delegation 1

Top