Announcement

Collapse
No announcement yet.

Admin delegation - Add Self to Group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Admin delegation - Add Self to Group

    I have been asked to limit some administrators, giving them access to create users and add users to groups, but not allow them to add themselves to groups.

    I have created a security group Level 2 Admins and added the administrators. They are normal domain users but i have given them the ability to add users, reset passwords, and read and write access to groups. These rights are inherited throughout the AD structure. All of this works as expected.

    I tried to DENY the right to Add/Remove self as member and applied it to Group objects but they can still add and remove themselves from groups.

    The only other way i can think of is to remove the inheritance and change the security permissions on select groups. Remove the right to read and write access to groups for sensitive groups like HR, Accounting, etc.

    Anyone know why the DENY rule doesn't work or another way to prevent them from adding themselves to groups?

    Tbird

  • #2
    Re: Admin delegation - Add Self to Group

    Any chance you can dump the DACL of the group and post it here ?
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Admin delegation - Add Self to Group

      Here is the ACL for a test group. I am trying to limit the Level 2 Admin and Level 1 Admin so they cannot add themselves to groups.
      You can see there is conflicting permissions for Add/Remove self as member but the Deny should override the Allow.
      The test users are only members of Level 2 Admin and Domain Users groups.

      Moderator EDIT: enclosed the ACL dump between [code] tags.
      Code:
      Access list:
      Effective Permissions on this object are:
      Allow COMCAR\Domain Admins                        FULL CONTROL
      Allow NT AUTHORITY\SYSTEM                         FULL CONTROL
      Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS
                                                        READ PERMISSONS
                                                        LIST CONTENTS
                                                        READ PROPERTY
                                                        LIST OBJECT
      Allow BUILTIN\Account Operators                   FULL CONTROL
      Allow NT AUTHORITY\SELF                           SPECIAL ACCESS
                                                        READ PERMISSONS
                                                        LIST CONTENTS
                                                        READ PROPERTY
                                                        LIST OBJECT
      Allow BUILTIN\Administrators                      SPECIAL ACCESS   <Inherited from parent>
                                                        DELETE
                                                        READ PERMISSONS
                                                        WRITE PERMISSIONS
                                                        CHANGE OWNERSHIP
                                                        CREATE CHILD
                                                        LIST CONTENTS
                                                        WRITE SELF
                                                        WRITE PROPERTY
                                                        READ PROPERTY
                                                        LIST OBJECT
                                                        CONTROL ACCESS
      Allow COMCAR\Enterprise Admins                    FULL CONTROL   <Inherited from parent>
      Allow COMCAR\Level 1 Admin                        SPECIAL ACCESS   <Inherited from parent>
                                                        CREATE CHILD
                                                        WRITE PROPERTY
                                                        READ PROPERTY
      Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   <Inherited from parent>
                                                        LIST CONTENTS
      Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   <Inherited from parent>
                                                        READ PERMISSONS
                                                        LIST CONTENTS
                                                        READ PROPERTY
                                                        LIST OBJECT
      Allow COMCAR\Level 1 Admin                        SPECIAL ACCESS for user   <Inherited from parent>
                                                        CREATE CHILD
                                                        DELETE CHILD
      Allow COMCAR\Level 2 Admin                        SPECIAL ACCESS for computer   <Inherited from parent>
                                                        CREATE CHILD
      Allow COMCAR\Level 2 Admin                        SPECIAL ACCESS for user   <Inherited from parent>
                                                        CREATE CHILD
      Allow BUILTIN\Windows Authorization Access Group  SPECIAL ACCESS for tokenGroupsGlobalAndUniversal
                                                        READ PROPERTY
      Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS for Exchange Information   <Inherited from parent>
                                                        READ PROPERTY
      Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS for tokenGroups   <Inherited from parent>
                                                        READ PROPERTY
      Allow NT AUTHORITY\NETWORK SERVICE                SPECIAL ACCESS for Exchange Personal Information   <Inherited from parent>
                                                        READ PROPERTY
      Deny  COMCAR\Level 1 Admin                        SPECIAL ACCESS for Add/Remove self as member   <Inherited from parent>
                                                        WRITE SELF
      Deny  COMCAR\Level 2 Admin                        SPECIAL ACCESS for Add/Remove self as member   <Inherited from parent>
                                                        WRITE SELF
      Allow COMCAR\Level 1 Admin                        SPECIAL ACCESS for Add/Remove self as member   <Inherited from parent>
                                                        WRITE PROPERTY
                                                        READ PROPERTY
      Allow COMCAR\Level 2 Admin                        SPECIAL ACCESS for Add/Remove self as member   <Inherited from parent>
                                                        WRITE PROPERTY
                                                        READ PROPERTY
      Allow NT AUTHORITY\Authenticated Users            Send To
      Allow COMCAR\Exchange Servers                     Change Password   <Inherited from parent>
      
      Permissions inherited to subobjects are:
      Inherited to all subobjects
      Allow BUILTIN\Administrators                      SPECIAL ACCESS   <Inherited from parent>
                                                        DELETE
                                                        READ PERMISSONS
                                                        WRITE PERMISSIONS
                                                        CHANGE OWNERSHIP
                                                        CREATE CHILD
                                                        LIST CONTENTS
                                                        WRITE SELF
                                                        WRITE PROPERTY
                                                        READ PROPERTY
                                                        LIST OBJECT
                                                        CONTROL ACCESS
      Allow COMCAR\Enterprise Admins                    FULL CONTROL   <Inherited from parent>
      Allow COMCAR\Exchange Enterprise Servers          SPECIAL ACCESS   <Inherited from parent>
                                                        LIST CONTENTS
      Allow COMCAR\Exchange Recipient Administrators    SPECIAL ACCESS   <Inherited from parent>
                                                        READ PERMISSONS
                                                        LIST CONTENTS
                                                        READ PROPERTY
                                                        LIST OBJECT
      Allow COMCAR\Level 1 Admin                        SPECIAL ACCESS   <Inherited from parent>
                                                        CREATE CHILD
                                                        WRITE PROPERTY
                                                        READ PROPERTY
      Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   <Inherited from parent>
                                                        LIST CONTENTS
      Allow COMCAR\Exchange Recipient Administrators    FULL CONTROL for msExchDynamicDistributionList   <Inherited from parent>
      Allow COMCAR\Level 1 Admin                        SPECIAL ACCESS for user   <Inherited from parent>
                                                        CREATE CHILD
                                                        DELETE CHILD
      Allow COMCAR\Level 2 Admin                        SPECIAL ACCESS for computer   <Inherited from parent>
                                                        CREATE CHILD
      Allow COMCAR\Level 2 Admin                        SPECIAL ACCESS for user   <Inherited from parent>
                                                        CREATE CHILD
      Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS for Exchange Information   <Inherited from parent>
                                                        READ PROPERTY
      Allow NT AUTHORITY\NETWORK SERVICE                SPECIAL ACCESS for Exchange Personal Information   <Inherited from parent>
                                                        READ PROPERTY
      Inherited to inetOrgPerson
      Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   <Inherited from parent>
                                                        READ PERMISSONS
                                                        LIST CONTENTS
                                                        READ PROPERTY
                                                        LIST OBJECT
      Inherited to user
      Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   <Inherited from parent>
                                                        READ PERMISSONS
                                                        LIST CONTENTS
                                                        READ PROPERTY
                                                        LIST OBJECT
      Allow COMCAR\Level 2 Admin                        SPECIAL ACCESS   <Inherited from parent>
                                                        WRITE PROPERTY
                                                        READ PROPERTY
      Allow COMCAR\Level 2 Admin                        Reset Password   <Inherited from parent>
      Allow COMCAR\Level 1 Admin                        FULL CONTROL   <Inherited from parent>
      Inherited to computer
      Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS for tokenGroups   <Inherited from parent>
                                                        READ PROPERTY
      Inherited to user
      Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS for tokenGroups   <Inherited from parent>
                                                        READ PROPERTY
      The command completed successfully
      Last edited by Rems; 3rd February 2009, 11:07.

      Comment


      • #4
        Re: Admin delegation - Add Self to Group

        Can you attach the ACL dump in a text file ? The way it is right now is not really readable.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: Admin delegation - Add Self to Group

          I have attached an unedited dump of the acl list.


          Tbird
          Attached Files

          Comment

          Working...
          X