Solved

Using adsiedit to disable the change password for a certain ad account

Posted on 2007-11-20
14
1,028 Views
Last Modified: 2013-12-04
my problem is that i have a computer on a network that needs to be accessed by one person remotely and not locally. so i thought that i could just lock it down by gpo to do deny local login but he also wants that no one can change his password except for me and that is ok. i am the only enterprise admin. so i go inot adsiedit and i go inot domain and i go into his object and remove groups to not allow them to change his password and it did work great but went back in 20 min and they were changed back. inheritance is not checked.  so i put deny next to change password and reset password but they changed back? what am i missing so that they stick? i cannot find anything on this subject? thanks
0
Comment
Question by:Inbox360
14 Comments
 
LVL 3

Expert Comment

by:mediaonegraphics
ID: 20325324
It appears that a group policy you have is overwriting the changes. You could always set his computer in an OU and ceate a GPO to it then enable loopback policy.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20325458
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20327502
This sounds like a symptom of adminSDholder, a background mechanism that replaces the ACL on objects that are members of significant security groups.  Which groups is the user a member of?
0
 

Author Comment

by:Inbox360
ID: 20327738
he is a domain admin with delegated control of everthing except he cant touch group policy.  my main dc has all 5 roles on it and they are not going to change.  the server has 2003 server standard r2 sp2.  the hotfix says it was fixed with service pack 1? will this still work?

what gpo would i have in place to overwrite this. i made all the gpo's and i dont think i have anything like this. where is the exact location i would find this?
0
 
LVL 9

Accepted Solution

by:
MSE-dwells earned 500 total points
ID: 20327848
It isn't a GPO -- it's adminSDholder as I said.  Since the user's a member of Domain Admins, you can't prevent this.  DAs are all powerful within their own domain, if that's the forest root domain, then they're all powerful period.  The adminSDholder mechanism was designed to prevent people from ACLing significant users with permissions that would provide an attacker a means of elevating their privilege.

Again, this isn't a GPO and it cannot be stopped short of you either -

1) removing the user from all significant security groups (seems unlikely)
2) edit the ACL on the adminSDholder object itself since this is the template ACL that's overwriting your changes

... sorry, not what you wanted to hear I've no doubt (and you're certainly not the first).
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20327866
PS - if he's a Domain Admin and the GPOs you've delegated control against exist within his domain, he can change them whenever he sees fit to try.
0
 

Author Comment

by:Inbox360
ID: 20328094
he can change my group policy as a domain admin, even though i didnt give him access under delegate control?

also if i make him a enterprise admin and not allow groups under me like domain admins to changhe out passwords then by changing the adminsdholder template that would work?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20328141
If you have only one domain, then yes because he can implicitly take ownership of anything -- ownership in turn implies the ability to change the ACL.

I don't understand your 2nd question.  Let's start with why the user is a DA at present and why you're considering making them an EA -- what do they do what motivates that level of membership?
0
 

Author Comment

by:Inbox360
ID: 20328175
he used to be the cto and i was the net admin.  we left and still help the company. the new people are trying to kick us out but whenever things break we still fix them. the cto as a Domain admin wanted to make sure they cant change his password so we can keep helping.  thats when i started digging into adsiedit and it kept changing back the changed acl i made under his object? any suggestions?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20328219
Sorry, not possible.  All you can do is make it cumbersome but, in the single-domain model, a DA is all-powerful.
0
 

Author Comment

by:Inbox360
ID: 20328489
so if i knock them down to just admins not domain admin. then they need delegated control to administer AD right? what can they do if they are just admins?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20328561
Define just admins?  Are you referring to making them members of the Administrators group on their workstation?  If so, they can do whatever they like on that PC and nowhere else.  Perhaps, you're referring to making them a member of the Administrators grouo within the domain.  If so, that's only one step removed from being a DA and something they'll always be able to add-back for themselves.
0
 

Author Comment

by:Inbox360
ID: 20328969
well if admins of domain can change them selves to domain admins? then how do you make priveldged levels of access to make ad changes?  how do you make it so admins of domain are just that and cannot make ad changes.  there has to be a difference of being an admin of a domain and a domain admin?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20329071
There is a difference ... but it's in the ACLing details which are too many to even begin going into.  The short explanation is that groups give permission primarily based on where they're ACLed within the directory not via some implicit hard-coded fluff as it was in NT (even today though, certain groups do still have implicit permission to do 'stuff').  This is the means by which you're supposed to delegate custom control -- i.e. by creating your own groups, ACLing the group against the resources you're trying to provide access to and adding the relevant members to the groups.

I'm not sure if or where you got the idea that Administrators were less than Domain Admins or vice-versa but I've not seen it stated in a misleading manner myself.  There are pre-existing less-powerful groups that are designed to assist in delegation of the more commonplace tasks, e.g. Server Operators or Backup Operators or ... but, for the most part, simply use AD U&C with Advanced Features switched on and use the Security tab to give specific users permission to do what they need to do.
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now