Announcement

Collapse
No announcement yet.

Checking effective domain permissions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Checking effective domain permissions

    Hallo to everybody.

    I have a domain group named "Techs".
    I found that they have too many permissions on the domain.
    Checking their membership, I could see that the "Techs" group is not member of any other group.
    The only reason for this group is to be member of "Local Admin" group of client machines freshly imaged, so they can act as local adminstrators for the join to the donain.
    I have checked if there is some specific delegation: none.
    Nevertheless, checking the effective security permissions of the group at domain level I still see that they have unjustified rights.


    Does anybody has any idea where I could go check to see where they inherit those permissions from?

    One more thing: I am having a long delay enabling accounts across a slow line. The FSMO roles are held at the other side of the network. I wanted to transfer the PDC emulator in order to speed up the process between account enabling and loging that currently takes 20 min. Would that be enough or there should be anything else to be moved over? At the other site the enabling and login can be done almost imediately.

    Thanks,

    Christian
    Last edited by Oby; 1st April 2008, 11:51.
    There is just one thing bigger than the Universe: - guess???-

  • #2
    Re: Checking effective domain permissions

    In ADUC you can click on View then advanced features. The security tab will give you the information you need.

    I had a similar issue earlier, but in reverse. They didn't have all of the necessary permissions but only when certain replication problems occured. If all you need is Domain Joining permissions, you should remake that group and delegate control just for that specific task.

    1. Click Start, click Run, type dsa.msc, and then click OK.
    2. In the task pane, expand the domain node.
    3. Locate and right-click the OU that you want to modify, and then click Delegate Control.
    4. In the Delegation of Control Wizard, click Next.
    5. Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
    6. In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
    7. Click Only the following objects in the folder, and then from the list, click to select the following check boxes:
    Computer objects
    Create selected objects in this folder
    Delete selected objects in this folder

    8. Click Next.
    9. In the Permissions list, click to select the following check boxes: Reset Password
    Validated write to DNS host name
    Read and write Account Restrictions
    Validated write to service principal name

    10. Click Next, and then click Finish.
    11. Close the "Active Directory Users and Computers" MMC snap-in.

    Hope this helps.

    Comment


    • #3
      Re: Checking effective domain permissions

      By the way, did you know that an authenticated user has the ability to join PCs to the domain up to 10 times? So if this is the only task you are doing that needs Local Admins for, then you don't need to worry about making them local admins.
      Best wishes,
      PaulH.
      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

      Comment


      • #4
        Re: Checking effective domain permissions

        Thanks f21.

        Actually the problem is that I could see too many rights from the specific security permissions for the workstations OU.
        After taking them out from any group, they still where inheriting permissions from somewhere. I cannot find where exactly from. Their membership now is down to zero and still I can see that they have way too many permissions.
        Any other idea?

        Thanks PaulH.
        They have a membership as local admins on the clients, since the amount of machines they can join to the domain is not limited to 10.
        Furthermore, being them part of the thech support, they might need local admin rights in order to give proper support for troubleshooting.

        Cheers.
        There is just one thing bigger than the Universe: - guess???-

        Comment


        • #5
          Re: Checking effective domain permissions

          Originally posted by Oby View Post

          Thanks PaulH.
          They have a membership as local admins on the clients, since the amount of machines they can join to the domain is not limited to 10.
          So you could use the actual domain user who will use the PC to join his own PC to the domain, thus each user's "allocation of 10" is only used once, rather than using the same user account over and over again.

          Originally posted by Oby View Post
          Furthermore, being them part of the thech support, they might need local admin rights in order to give proper support for troubleshooting.

          Cheers.
          Yes, right, that's often the case, and it is tricky to give "enough" but not too much power.
          Best wishes,
          PaulH.
          MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

          Comment


          • #6
            Re: Checking effective domain permissions

            Reading the thread I get the feeling that the main issue raised has been side tracked bt I could be wrong.

            Correct me if I am wrong - You have a security group whose only purpose is to be added to the local admins group on machines in your domain. But you see that the group has a lot of permissions on your domain.

            1.Are you sure that noone else has given the group specific permissions on your Domain?
            2.What exactly are the permission you see given to the tech group?


            MurTuzA
            The Never Ending Loop of User Rights
            START
            Q. Why is Windows so insecure?
            A. Because everyone runs as Administrator.
            Q. Why does everyone run as Administrator (even when they know better)?
            A. Because they don't understand security and are afraid they will be prevented from doing things.
            Q. Why don't they understand security?
            A. Because they run as Administrator, bypassing all security.
            LOOP TO START

            Comment


            • #7
              Re: Checking effective domain permissions

              Well, the OP stated that the only reason for this group was to add machines to the domain. That can be achieved by authenticated users, so that ends the issue. But of course understandably the OP then goes on to say he wants to give the group some "tech support" powers as well, so that new info changed the landscape somewhat.
              Best wishes,
              PaulH.
              MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

              Comment


              • #8
                Re: Checking effective domain permissions

                Correct me if I am wrong - You have a security group whose only purpose is to be added to the local admins group on machines in your domain. But you see that the group has a lot of permissions on your domain.
                The group has duble purpose: joining way passed the normal user limit of 10 machines to the domain. For that purpose I delegated control to "Join computers" for the OU that holds the workstations.
                The second is to troubleshoot, therefore they have been added in the "Local Administrators" group in the image, so they will have local admin rights to be able to perform their tasks.

                1.Are you sure that noone else has given the group specific permissions on your Domain?
                Yes.

                2.What exactly are the permission you see given to the tech group?
                In the Domain Effective Permissions query they have all "write" + "read and write" permissions, despite the fact that they don't appear specificately in the security list and aren't members of the groups that are in the security list .
                Well, the OP stated that the only reason for this group was to add machines to the domain. That can be achieved by authenticated users, so that ends the issue.
                That is not completely correct: they need to add more than 10 ws to the domain.
                The issue though has been solved through this tech net article. What I was missing was to "reset password". I covered that long time ago. Not remembered ay more.

                Thank you.
                There is just one thing bigger than the Universe: - guess???-

                Comment


                • #9
                  Re: Checking effective domain permissions

                  By the way, this "10 times add to domain" limit can of course be extended by using different "Authenticated Users" - so you are NOT limited to 10 - if you use 14 user names, you can of course do up to 140 PCs.

                  I suggest you use one user per PC and so each username only gets used once. It's a boring point, but worth considering.
                  Best wishes,
                  PaulH.
                  MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                  Comment


                  • #10
                    Re: Checking effective domain permissions

                    PaulH
                    By the way, this "10 times add to domain" limit can of course be extended by using different "Authenticated Users" - so you are NOT limited to 10 - if you use 14 user names, you can of course do up to 140 PCs.

                    I suggest you use one user per PC and so each username only gets used once. It's a boring point, but worth considering.
                    The problem was not the amount of WS that had to join the domain, as that the specific security group couldn't add them even if delegated.

                    As I have explained earlyer, I overlooked the delegation of "resetting password", that is valid either when you delegate control for managing users as well as computers

                    The core problem still remains unsolved though:
                    How to verify where the group is inheriting permissions from since, at domain level, they aren't mentioned in the security tab.
                    There is just one thing bigger than the Universe: - guess???-

                    Comment


                    • #11
                      Re: Checking effective domain permissions

                      Hi,

                      I could not read the entire post but if it's just the metter of restricting the users from joining the computers under any specific OU..........then why do not you try to explicitly deny them.

                      Regards,
                      Kapil Sharma
                      ~~~~~~~~~~~~~
                      Life is too short, Enjoy It.

                      Comment


                      • #12
                        Re: Checking effective domain permissions

                        then why do not you try to explicitly deny them.

                        kapilsharma11,
                        The reason is that I want to know where all those permissions are coming from.
                        What you suggest is just a patch. I need a fix.

                        Thanks for the answer anyway.

                        Cheers
                        There is just one thing bigger than the Universe: - guess???-

                        Comment

                        Working...
                        X