Announcement

Collapse
No announcement yet.

AdminSDHolder default security settings.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AdminSDHolder default security settings.

    Hello, I'm hoping the experts here can help. I've pretty much already blown a day's work and $259 at Microsoft support trying to get this resolved and it's starting to look bleak. I'll get right to the issue.

    I'm the administrator of a 2003 AD environment at 2003 interim functional level. Recently I was tasked with upgrading our Imail email services with an Exchange server (still in progress) and a 15-license Blackberry Enterprise server (also in progress). The problem I am now having is a result in applying the "Send As" permission to the BESAdmin account I have created. The script I ran was supposed to simply add the permissions to the AdminSDHolder object. However, it appears to have reset all the security permissions for that object and only a few now exist. I've spent most of my time rebuilding the security tab from what I have found on the Internet, but it is still incomplete.

    I've been through Microsoft support and all they did was hit the Default button, which did practically nothing. I found an appendix of security descriptors for AdminSDHolder that has helped, but it did not include all the administrative service accounts (i.e. backup operators and the newest included with 2003). I have a separate domain, but oddly it is missing some of the newer ones as well.

    I'm having some issues finding what the correct GUID is for some of the permissions I need to set, such as tokenGroupsGlobalandUniversal. It's available if I access the security permissions for the Windows Authorization Access Groups account, but it's not available when I access that object via AdminSDHolder. This is expected, but I still need to find that GUID so I can add it using dsacls.exe.

    I guess what I'm asking is if there is someone out there that knows of a script that can restore my AdminSDHolder security permissions, or another way of getting them back to even a pre-Exchange state (I can rerun domainprep to repopulate what I need from Exchange).

    I'm not sure how any of this happened but I'm at a point that it doesn't really matter any longer...I need to get it fixed. I do believe it's in a state that will allow full functionality of our business, but I'm sure it has left a few accounts in a poor security state.

    Thanks for reading this long post and for any suggestion you can offer.

    Jon

    EDIT:

    Thought I would include the output of dsacls in case it helps anyone. This is what I have rebuilt so far:

    Code:
    Access list:
    {This object is protected from inheriting permissions from the parent}
    Effective Permissions on this object are:
    Allow BUILTIN\Administrators                      SPECIAL ACCESS
                                                      DELETE
                                                      READ PERMISSONS
                                                      WRITE PERMISSIONS
                                                      CHANGE OWNERSHIP
                                                      CREATE CHILD
                                                      DELETE CHILD
                                                      LIST CONTENTS
                                                      WRITE PROPERTY
                                                      READ PROPERTY
    Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS
                                                      READ PERMISSONS
                                                      LIST CONTENTS
                                                      READ PROPERTY
    Allow DomainName\Domain Admins                      SPECIAL ACCESS
                                                      READ PERMISSONS
                                                      WRITE PERMISSIONS
                                                      CHANGE OWNERSHIP
                                                      CREATE CHILD
                                                      DELETE CHILD
                                                      LIST CONTENTS
                                                      WRITE PROPERTY
                                                      READ PROPERTY
    Allow DomainName\Enterprise Admins                  SPECIAL ACCESS
                                                      READ PERMISSONS
                                                      WRITE PERMISSIONS
                                                      CREATE CHILD
                                                      DELETE CHILD
                                                      LIST CONTENTS
                                                      WRITE PROPERTY
                                                      READ PROPERTY
    Allow DomainName\Exchange Enterprise Servers        SPECIAL ACCESS
                                                      LIST CONTENTS
    Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS
                                                      READ PERMISSONS
                                                      LIST CONTENTS
                                                      READ PROPERTY
    Allow NT AUTHORITY\SYSTEM                         FULL CONTROL
    Allow DomainName\Exchange Enterprise Servers        SPECIAL ACCESS for Public Info
    rmation
                                                      WRITE PROPERTY
                                                      READ PROPERTY
    Allow DomainName\Exchange Enterprise Servers        SPECIAL ACCESS for Personal In
    formation
                                                      WRITE PROPERTY
                                                      READ PROPERTY
    Allow DomainName\Exchange Enterprise Servers        SPECIAL ACCESS for displayName
    
                                                      WRITE PROPERTY
                                                      READ PROPERTY
    Allow NT AUTHORITY\SELF                           SPECIAL ACCESS for Personal In
    formation
                                                      WRITE PROPERTY
                                                      READ PROPERTY
    Allow NT AUTHORITY\SELF                           SPECIAL ACCESS for Phone and M
    ail Options
                                                      WRITE PROPERTY
                                                      READ PROPERTY
    Allow NT AUTHORITY\SELF                           SPECIAL ACCESS for Web Informa
    tion
                                                      WRITE PROPERTY
                                                      READ PROPERTY
    Allow DomainName\besadmin                           Send As
    Allow Everyone                                    Change Password
    Allow NT AUTHORITY\SELF                           Receive As
    Allow NT AUTHORITY\SELF                           Change Password
    
    Permissions inherited to subobjects are:
    Inherited to all subobjects
    Allow DomainName\Exchange Enterprise Servers        SPECIAL ACCESS
                                                      LIST CONTENTS
    Allow DomainName\Exchange Enterprise Servers        SPECIAL ACCESS for Public Info
    rmation
                                                      WRITE PROPERTY
                                                      READ PROPERTY
    Allow DomainName\Exchange Enterprise Servers        SPECIAL ACCESS for Personal In
    formation
                                                      WRITE PROPERTY
                                                      READ PROPERTY
    Allow DomainName\Exchange Enterprise Servers        SPECIAL ACCESS for displayName
    
                                                      WRITE PROPERTY
                                                      READ PROPERTY
    Last edited by jkleslie; 13th May 2008, 21:20.

  • #2
    Re: AdminSDHolder default security settings.

    I could be missing something, but what has adminSDHolder to do with your situation ?
    adminSDHolder is responsible (between other things) for enforcing permissions on the sensitive accounts (members of pre-defined security groups, like Domain Admins, Account Operators, etc...)

    This has nothing to do with Send As permissions.
    What is the exact problem you are facing ?
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: AdminSDHolder default security settings.

      If Send As permissions are granted to an object that adminSDHolder is responsible for then adminSDHolder will remove the Send As permission. Your BESAdmin account cannot be a member of any Admin group or you will not be able to apply the required Send As permission to the BESAdmin account. Make your BESAdmin account a member of Domain Users. You can if you need, add BESAdmin to the Local Administrators group of the BES server. Also, BESAdmin should be delegated Exchange View Only Administrator permissions at the Exchange Organization level.

      Comment


      • #4
        Re: AdminSDHolder default security settings.

        Originally posted by joeqwerty View Post
        If Send As permissions are granted to an object that adminSDHolder is responsible for then adminSDHolder will remove the Send As permission.
        You will have to excuse my lack of knowledge of Blackberry - I have no idea what permissions are required.

        Please correct me if I'm wrong. If the situation is:

        - BASAdmin account is a member of adminSDHolder protected group
        - another account is granted SendAs permission over BESAdmin account
        - adminSDHolder removes the ACE from BASAdmin account's ACL in order to enforce the mandatory ACL

        If the case is:
        - BASAdmin account is a member of adminSDHolder protected group
        - BESAdmin account is granted SendAs permissions over user accounts
        - adminSDHolder should not remove SendAs permissions as the ACL in question does not belong to adminSDHolder protected object


        btw, if you want to give some account a permission to read tokenGroupsGlobalandUniversal attribute, add it to "Windows Authorization Access Group" group
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: AdminSDHolder default security settings.

          http://technet2.microsoft.com/window....mspx?mfr=true

          Comment


          • #6
            Re: AdminSDHolder default security settings.

            I apologize that I was not clear. Forget that I mentioned Blackberry as that was the cause of my problems, but at this point is irrelevant.

            I do know what the AdminSDHolder object is for. My problem is that if you check the Security tab under the properties of mine, it is blank. This means that all the accounts that AdminSDHolder protects are no longer protected.

            I have rebuilt some of it using a separate domain I manage to guide me, as well as the appendix Meekrobe posted, but it is still incomplete.

            As far as applying permissions, objects such as the "Windows Authorization Access Group" are already correct. The problem is that I need to add permissions to the AdminSDHolder object itself and some of the permissions it needs are not available in the GUI - they are hidden and I don't know the proper GUID for some of them.

            For example, the Windows Authorization Access Group has a permission explicitly for tokenGroupsGlobalandUniversal. THe AdminSDHolder also has permissions applied to this object within its security tab so that if it is removed from the Windows Authorization Access Group, it will be re-added when the check runs - protecting the Windows Authorization Access Group object. My AdminSDHolder object does not have this permission anymore - it is also missing many others. So if the tokenGroupsGlobalandUniversal permissions is removed from the Windows Authorization Access Group object, it is gone and will not be corrected by the AdminSDHolder check. I hope that better explains my predicament.

            Thanks for everyone's interest. All suggestions are welcome and appreciated.
            Last edited by jkleslie; 21st May 2008, 12:33.

            Comment


            • #7
              Re: AdminSDHolder default security settings.

              Try the following:

              Code:
              C:\>dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=tld" /G "BUILTIN\Windows
               Authorization Access Group:RP;tokenGroupsGlobalandUniversal;"
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment


              • #8
                Re: AdminSDHolder default security settings.

                Originally posted by guyt View Post
                Try the following:

                Code:
                C:\>dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=tld" /G "BUILTIN\Windows
                 Authorization Access Group:RP;tokenGroupsGlobalandUniversal;"
                Thanks for that...I won't get to try it until tomorrow, but I think I already see where I went wrong when I tried that.

                Comment


                • #9
                  Re: AdminSDHolder default security settings.

                  Well, it didn't work.

                  Code:
                  H:\>dsacls "cn=adminsdholder,cn=system,dc=domainname,dc=local" /G "BUILTIN\Windows
                   Authorization Access Group:RP;tokenGroupsGlobalandUniversal;"
                  No GUID Found for tokenGroupsGlobalandUniversal
                  The parameter is incorrect.
                  Not sure how I'm supposed to take care of these hidden permissions.

                  Comment


                  • #10
                    Re: AdminSDHolder default security settings.

                    If you are in interim mode, Everyone is member of "Pre-Windows 2000" group, which means that you do not need the Windows Authorization Access Group to enable access to the attribute.

                    Not sure whether the group is actually accessible from NT... Is your PDC FSMO on W2K3 and accessible ?
                    Guy Teverovsky
                    "Smith & Wesson - the original point and click interface"

                    Comment


                    • #11
                      Re: AdminSDHolder default security settings.

                      Originally posted by guyt View Post
                      If you are in interim mode, Everyone is member of "Pre-Windows 2000" group, which means that you do not need the Windows Authorization Access Group to enable access to the attribute.

                      Not sure whether the group is actually accessible from NT... Is your PDC FSMO on W2K3 and accessible ?
                      Yes it is.

                      Comment


                      • #12
                        Re: AdminSDHolder default security settings.

                        I do not have interim forest handy to take a look, but on Sunday I am at a client which is running his forest in interim mode and I can take a look how the defaults are set. Feel free to ping me offline or bump up the thread if I do not get back by Monday with an answer.
                        Guy Teverovsky
                        "Smith & Wesson - the original point and click interface"

                        Comment


                        • #13
                          Re: AdminSDHolder default security settings.

                          Originally posted by guyt View Post
                          I do not have interim forest handy to take a look, but on Sunday I am at a client which is running his forest in interim mode and I can take a look how the defaults are set. Feel free to ping me offline or bump up the thread if I do not get back by Monday with an answer.
                          Thanks! I'm fairly confident that I have it back in as close to the same order as before the incident, minus the WAAG tokenGroupsGlobalandUniversal permissions...I just can't seem to find a way to add that. I looked into using ADSI, but it was a bit much to take on for me. I may not have a choice if it works though - nothing else seems to.

                          I'll probably be back in touch with Microsoft on Tuesday, so I'm hoping they'll have something for me. They've been pretty useless so far though.

                          Comment


                          • #14
                            Re: AdminSDHolder default security settings.

                            Hi, just wanted to say that I got this resolved. I pretty much got all the necessary security permissions set for all groups that were supposed to be within the AdminSDHolder security tab. The only one that I had trouble with was the Windows Authorization Access Group and the tokenGroupsGlobalandUniversal.

                            I was able to get it added using a vb script created specifically for that group and permission from a Microsoft KB article (KB331947). I had come across that early on in my research, but was hesitant to use it. Then I found it's pretty much necessary if you need to apply that specific permission to any other object than the WAAG itself, where it is already present.

                            Thanks for all the replies and help. Hopefully this thread will pop up on a search for someone else with similar issues and help the same.

                            Comment

                            Working...
                            X