Announcement

Collapse
No announcement yet.

Renaming OUs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Renaming OUs

    Hi folks...

    We have a problem whereby our Service Desk personnel (members of the "Account Operators" BUILTIN AD group) once in a while manage to rename an OU by accident and thereby screw up large bits of infrastructure.

    We have modified permissions at the Domain level in AD Users and Computers such that Account Operators have Full Control except for a specific "Deny" on "Write All Properties", "Delete" and "Delete Subtree"; this permissions entry is applied to "Organisational Units". Unfortunately they can still rename OUs. Does "Rename" not count as "Writing a property" of an OU? or is there another way to deny this ability on a global basis only to OU objects?

    See the screenshot for the permissions applied on the domain object in ADU&C - these permissions are cascaded to objects properly and checking the permissions on an OU shows that they are applied.
    Attached Files


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

  • #2
    Re: Renaming OUs

    What all do service desk employees need to be able to do?

    If all they need are things like password resets, you may be better off creating an entirely seperate group for them and only assigning the permissions they will need to do their job.

    here is the link to a technet article that goes through object permissions:

    http://technet2.microsoft.com/window....mspx?mfr=true
    Technology is only as good as those who use it

    My tech blog - wiredtek.wordpress.com

    Comment


    • #3
      Re: Renaming OUs

      Hi,

      As per microsft: rename equals to deletion of previous object and creation of new object.

      So in order to rename an OU you must be having the permission to create and delete the OU object..........

      Ask if anything specific is needed.

      Regards,
      Kapil Sharma
      ~~~~~~~~~~~~~
      Life is too short, Enjoy It.

      Comment


      • #4
        Re: Renaming OUs

        Well, as you see from the permissions above, they simply DO NOT HAVE those permissions; in fact "delete" is specifically denied on OUs... and yet they can.

        Wired; they need account operators as they are a highly skilled service desk; however they sometimes make mistakes as do all humans and this renaming of key OUs is one that crops up a lot. It's the only time we get major issues from them and I simply want to specifically deny their right to rename it... which I thought I had done with the above.

        Can anyone guess why it is not working?


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Renaming OUs

          Hi,

          An Active Directory domain controller that holds the primary domain controller (PDC) operations master role runs a thread (AdminSDHolder) every hour to check the access control lists (ACLs) on the following groups and all of the member objects of these groups:

          • Enterprise Admins
          • Schema Admins
          • Domain Admins
          • Administrators
          • Domain Controllers
          • Cert Publishers
          • Backup Operators
          • Replicator Server Operators
          • Account Operators
          • Print Operators

          Additionally by-defualt any permission set on the containers do not inherit on these groups.

          So I suspect this is causing the issue.

          I think "Guyt" is the best person to describe the same........

          Regards,
          Kapil Sharma
          ~~~~~~~~~~~~~
          Life is too short, Enjoy It.

          Comment


          • #6
            Re: Renaming OUs

            Originally posted by kapilsharma11 View Post
            Hi,

            An Active Directory domain controller that holds the primary domain controller (PDC) operations master role runs a thread (AdminSDHolder) every hour to check the access control lists (ACLs) on the following groups and all of the member objects of these groups:

            Enterprise Admins
            Schema Admins
            Domain Admins
            Administrators
            Domain Controllers
            Cert Publishers
            Backup Operators
            Replicator Server Operators
            Account Operators
            Print Operators

            Additionally by-defualt any permission set on the containers do not inherit on these groups.

            So I suspect this is causing the issue.

            I think "Guyt" is the best person to describe the same........

            Regards,
            Yes... but AdminSDHolder does not check OU's and the permissions to them. AdminSDHolder REMOVES ACL entries it doesn't like; and these permissions are there, plain to see, on all OU's (NOT CONTAINERS) in the domain.


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: Renaming OUs

              I haven't read this document completely because I don't have much time.
              Also I'm not a AD guru like Guy so if I'm wrong sorry for that

              But.. please review:
              http://docs.msdnaa.net/computingsolu...Uschemamod.txt
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Renaming OUs

                Dumber,
                the link which you specified id for restricted access for schema modifications from the particular DC only. The question is about Renaming OU and not about modifying schema.

                Stonelaughter,
                Just have to check th ACLs for Account Operators. I have not done that. It seems to have a lot of work for Inbuilt Group permissions with their permissions.

                from,
                Amit
                From,
                Amit
                [/EMAIL]

                Comment


                • #9
                  Re: Renaming OUs

                  I found (with Microsoft's help) that the "privileged" status of Account Operators allows them to ignore certain "Deny" permissions - this being one of them. In order to correct this, I have had to modify a flag in the Configuration partition of the schema called "DSHeuristics". Microsoft raised a new "Bug" for this though, as setting the value I wanted was incompatible with the value already present which allows anonymous LDAP queries!! So - they had to send me a new value for it.

                  See http://support.microsoft.com/kb/817433 for more information: the value "0000002" allows anonymous LDAP queries, and the value "0000000001000001" restricts the privileges of the "Account Operators" group. The two values merged become "0000002001000001"

                  See also http://support.microsoft.com/kb/326690/


                  Tom
                  For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                  Anything you say will be misquoted and used against you

                  Comment


                  • #10
                    Re: Renaming OUs

                    Just for completeness, I remembered this thread and thought I should update. The DSHeuristics value did not work on its own. I also need to remove all explicit ALLOW permissions on OUs because an explicit ALLOW overrides an inherited DENY. Once those are stripped, the inherited allow/deny combination will have the desired effect.


                    Tom
                    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                    Anything you say will be misquoted and used against you

                    Comment


                    • #11
                      Re: Renaming OUs

                      Thanks for the update Tom.
                      1 1 was a racehorse.
                      2 2 was 1 2.
                      1 1 1 1 race 1 day,
                      2 2 1 1 2

                      Comment

                      Working...
                      X