Announcement

Collapse
No announcement yet.

Deny Access - userAccountControl

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Deny Access - userAccountControl

    Hey,

    We want to prevent members of staff from being to Enable/Disable computer accounts but still keep their permissions to be able to Create/Delete computer objects.

    After doing some reading, it looks like we need to explicitly deny access to userAccountControl on the Computer Objects permission.

    This DOES appear to work... but only if the computer object was created by another person.

    If person1 with Create/Delete computer object permissions creates a computer object called "RSTEST123" and then after it is created, attempts to disable "RSTEST123" then they are able to... even though the permission is set to explicitly deny.

    Now, if person2 with Create/Delete computer object permissions creates a computer object called "RSTEST456" and then after it is created, person1 attempts to disable "RSTEST456" then they are unable... but person2 can.

    It is as if they gain full permissions to the computer object because it was them who created it... even if explicitly deny is set.

    I know this possibly isn't best practice... but it is something we need to consider at the moment!

    Please post if you have any idea on how to proceed!

    Thank you.
    Last edited by rsnooks; 5th May 2010, 17:06.

  • #2
    Re: Deny Access - userAccountControl

    what i would suggest is to set a GPO (group policy object) on an OU and only create the computer objects on that ou and define in the GPO that by default, no matter who created the object, the 'system' gets the ownership rights.

    Comment

    Working...
    X