Announcement

Collapse
No announcement yet.

Active Directory IS somehow allowing standard users full access to AD Users & Comp

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory IS somehow allowing standard users full access to AD Users & Comp

    Hi all,

    I just got a new job a few weeks ago, and I noticed that somehow Active Directory is allowing standard users to modify users and groups in Active Directory Users and Computers. Even though the standard users have not been delegated any control.

    I created some test accounts in our Active Directory domain, and all of the test accounts have full access to Active Directory Users and Computers. Providing that Remote Server Administration Tools is already installed on their client system.

    I setup a new test domain in a virtual machine using Server 2012 R2. Then I joined a test Windows 10 vm to the domain and the standard user was not able to make any changes to Active Directory. The test user can open Active Directory Users and Computers; but they can't make any changes.

    So there is something majorly wrong with our production Active Directory domain. I just don't know where to look or how to resolve this issue. I looked at our default domain policy and there wasn't anything there about giving users access to the domain.

  • #2
    Check delegated permissions in ADUC (advanced view, then security tab)
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Also check the group membership of any old user who can make changes, vs any new test users you create that can't make changes. Membership in anything aside fro the default 'domain users' is suspect. If you create a new test user in your current domain and that account can make the same changes, and that account is only a 'domain user' member and nothing else, the delegation was applied to the 'domain user' group, somewhere. By the way, why would the RSAT be installed on any but domain admin machines??
      *RicklesP*
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **

      Comment


      • #4
        The test user that I created is only a member of the domain user group. The domain user group is users group. The users group is not a member of any groups. Since it's a build in group.

        Comment


        • #5
          Is it something that has been assigned via Group Policy - Computer Configuration > Windows Settings > Security Settings > Local Policies
          A recent poll suggests that 6 out of 7 dwarfs are not happy

          Comment


          • #6
            Originally posted by Blood View Post
            Is it something that has been assigned via Group Policy - Computer Configuration > Windows Settings > Security Settings > Local Policies
            I just checked, and nothing is being applied.

            Comment


            • #7
              Have you checked for delegated permissions yet?
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Originally posted by Ossian View Post
                Have you checked for delegated permissions yet?
                How do I check that?

                Comment


                • #9
                  (sigh) See post #2
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment

                  Working...
                  X