Active Directory IS somehow allowing standard users full access to AD Users & Comp

Home Forums Microsoft Networking and Management Services Active Directory Active Directory IS somehow allowing standard users full access to AD Users & Comp

This topic contains 8 replies, has 5 voices, and was last updated by  tmpick 1 year, 7 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #167007

    Hi all,

    I just got a new job a few weeks ago, and I noticed that somehow Active Directory is allowing standard users to modify users and groups in Active Directory Users and Computers. Even though the standard users have not been delegated any control.

    I created some test accounts in our Active Directory domain, and all of the test accounts have full access to Active Directory Users and Computers. Providing that Remote Server Administration Tools is already installed on their client system.

    I setup a new test domain in a virtual machine using Server 2012 R2. Then I joined a test Windows 10 vm to the domain and the standard user was not able to make any changes to Active Directory. The test user can open Active Directory Users and Computers; but they can’t make any changes.

    So there is something majorly wrong with our production Active Directory domain. I just don’t know where to look or how to resolve this issue. I looked at our default domain policy and there wasn’t anything there about giving users access to the domain.


    Ossian
    Moderator
    #191646

    Check delegated permissions in ADUC (advanced view, then security tab)


    Anonymous
    #372045

    Also check the group membership of any old user who can make changes, vs any new test users you create that can’t make changes. Membership in anything aside fro the default ‘domain users’ is suspect. If you create a new test user in your current domain and that account can make the same changes, and that account is only a ‘domain user’ member and nothing else, the delegation was applied to the ‘domain user’ group, somewhere. By the way, why would the RSAT be installed on any but domain admin machines??


    tmpick
    Member
    #391790

    The test user that I created is only a member of the domain user group. The domain user group is users group. The users group is not a member of any groups. Since it’s a build in group.

    Blood
    Blood
    Moderator
    #337287

    Is it something that has been assigned via Group Policy – Computer Configuration > Windows Settings > Security Settings > Local Policies


    tmpick
    Member
    #391791
    Blood;n510622 wrote:
    Is it something that has been assigned via Group Policy – Computer Configuration > Windows Settings > Security Settings > Local Policies

    I just checked, and nothing is being applied.


    Ossian
    Moderator
    #191658

    Have you checked for delegated permissions yet?


    tmpick
    Member
    #391792
    Ossian;n510624 wrote:
    Have you checked for delegated permissions yet?

    How do I check that?


    Ossian
    Moderator
    #191660

    (sigh) See post #2

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.