Chuckbuchan
asked on
create/delete user objects permissions
We have a security group "Group1" who has been granted create/delete user objects permissions so that they can run script from their desktop. this has enabled them to run that script .
I would like to know what else they can do with these permissions ? what kind of harm they can do with these permissions?
thanks
where has the permission been assigned?
meaning... at what level... the domain level or the OU level?
ASKER
at the OU level.
thanks
thanks
that would allow member of the security to delete all user objects from the container and any container below it... it would also allow creation of user objects in that container and any container below... that should be the extent of the security risk associated with assigning the level of permissions you've stated...
if you've delegated the permission and you're concerned about security I would recommend assigning a GPO to the top level OU they have permission to add user objects to and lock down areas of concern on desktops... as any new user they add would be subject to the group policy...
also... make sure to sure to use security groups for permissions to access sensitive resources/shares on the network and not just the Everyone or Domain Users groups... as anyone added will also be a member of those groups automatically...
if you've delegated the permission and you're concerned about security I would recommend assigning a GPO to the top level OU they have permission to add user objects to and lock down areas of concern on desktops... as any new user they add would be subject to the group policy...
also... make sure to sure to use security groups for permissions to access sensitive resources/shares on the network and not just the Everyone or Domain Users groups... as anyone added will also be a member of those groups automatically...
ASKER
Note that user to whom I granted create/delete user objects permissions don't have access to AD console from their computers, We just gave them those permission so that they should be able to run a script from their desktop , because before we gave them the permissions they used to get an error message like access denied whenever they run that script from their desktop.
I was just wondering if there would be any security breach with the permissions they have.
thanks
I was just wondering if there would be any security breach with the permissions they have.
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Correction:
whether they have administrator access to their local machine or not they would have to through LDAP...
should read
whether they have administrator access to their local machine or not they would be able to access active directory through LDAP...
whether they have administrator access to their local machine or not they would have to through LDAP...
should read
whether they have administrator access to their local machine or not they would be able to access active directory through LDAP...
ASKER
Yes they are local adminstrators. how do they get access to AD through LDAP? do you mean they can make another script that might do damage in the AD? I guess you are right.... what do you suggest better for the users to run the script that unlocks locked accounts?
thanks
thanks