Lamont_CranstonMemberMay 9, 2017 at 4:42 pm #167007
I just got a new job a few weeks ago, and I noticed that somehow Active Directory is allowing standard users to modify users and groups in Active Directory Users and Computers. Even though the standard users have not been delegated any control.
I created some test accounts in our Active Directory domain, and all of the test accounts have full access to Active Directory Users and Computers. Providing that Remote Server Administration Tools is already installed on their client system.
I setup a new test domain in a virtual machine using Server 2012 R2. Then I joined a test Windows 10 vm to the domain and the standard user was not able to make any changes to Active Directory. The test user can open Active Directory Users and Computers; but they can’t make any changes.
So there is something majorly wrong with our production Active Directory domain. I just don’t know where to look or how to resolve this issue. I looked at our default domain policy and there wasn’t anything there about giving users access to the domain.May 10, 2017 at 12:14 am #191646
Check delegated permissions in ADUC (advanced view, then security tab)
AnonymousMay 10, 2017 at 5:25 am #372045
Also check the group membership of any old user who can make changes, vs any new test users you create that can’t make changes. Membership in anything aside fro the default ‘domain users’ is suspect. If you create a new test user in your current domain and that account can make the same changes, and that account is only a ‘domain user’ member and nothing else, the delegation was applied to the ‘domain user’ group, somewhere. By the way, why would the RSAT be installed on any but domain admin machines??May 10, 2017 at 10:44 am #391790
The test user that I created is only a member of the domain user group. The domain user group is users group. The users group is not a member of any groups. Since it’s a build in group.
BloodModeratorMay 11, 2017 at 9:04 am #337287
Is it something that has been assigned via Group Policy – Computer Configuration > Windows Settings > Security Settings > Local PoliciesMay 11, 2017 at 10:54 am #391791Blood;n510622 wrote:Is it something that has been assigned via Group Policy – Computer Configuration > Windows Settings > Security Settings > Local Policies
I just checked, and nothing is being applied.May 12, 2017 at 9:24 am #391792Ossian;n510624 wrote:Have you checked for delegated permissions yet?
How do I check that?
You must be logged in to reply to this topic.