Solved

active directory delegation problem

Posted on 2008-10-07
12
537 Views
Last Modified: 2010-05-18
I have created a non-admin user and enabled "Account is trusted for delegation". Then I create a OU to which I assign delegation rights to that non-admin user. I unchecked policy inheritance, and proceed to create a domain admin account in the aforementioned OU. When the non-admin user attempt to exercise it's delegated rights all is well and the admin is being managed. About 1 day later, apparently after replication to other domain controllers, the right seems to be gone and the non-admin can no longer manage the admin, however if I create a new admin in the OU, I can manage it(for about 24 hours)...... Does anyone have some suggestions on how to get to the bottom of this? Thanks in advance for the help.
0
Comment
Question by:pyrokin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22660495
[1] You do not need to enable the "Account is trusted for delegation" option - this refers to Kerberos delegation, which is a different concept than delegation of authority.

[2] The behavior you are describing is by design, and cannot be overcome. See the following for a description of the issue: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665033
LauraEHunterMVP,

Thanks for the response. In the link providing the description, it points to http://support.microsoft.com/kb/817433. Does this mean there is a workaround?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22665045
If you read the link involved, you will see that there are multiple potential workarounds.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:pyrokin
ID: 22665426
I'm a little confused. You said "The behavior you are describing is by design, and cannot be overcome".  Do you know if any of these would work in my scenario? Would it be possible for you to elaborate on Method 2, as this is a little over my head.  Thanks again for your time.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22665446
Method 2 involves modifying the default security descriptor for all protected groups managed by adminSDHolder. This is not a best practice and is not recommended by most in the AD profession. Allowing a non-DA to manage the account of a DA is an inherent security risk, and should not be permitted despite the fact that you "can" do so using the workaround listed in the KB article.
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665492
Thank you for the clarification. Currently, I have a non-admin user, hosting a windows service(WCF), listening for connections from users to enable and disable the admin account in the OU . I used the delegation wizard to allow that user to enable and disable the admin account. I did this by adding the following delegwiz.ini

[template48]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Enable a disabled user account"

ObjectTypes = user

[template48.user]
userAccountControl=WP


  Do you think this delegation will allow some unintended privileges to gain access to the admin account? Does the delegation wizard have flaws that get corrected by the hourly AdminSdHolder-Thread?  
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22665515
If the "admin account in the OU" is a member of one of the protected groups that is covered by AdminSDHolder, any delegated permissions on this account will be reset automatically, regardless of any delegations that you have manually established. The only recommended workaround is to configure the admin account itself with delegated permissions such that it is not a member of a protected group.
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665535
You lost me..Could you provide an example "The only recommended workaround is to configure the admin account itself with delegated permissions such that it is not a member of a protected group."
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22665564
Configure the "admin account for the OU" (since this is your terminology, I cannnot comment on the specifics of how this account is or is noty configured) with only the specific permissions that it requires. Do not make the account in question a mrember of any protected group.
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665624
LauraEHunterMVP,

   Thanks again for all your input. My final 2 questions are :

Do you think this delegation will allow some unintended privileges to gain access to the admin account which was added to the OU i created? and if so does the delegation wizard have flaws that get corrected by the hourly AdminSdHolder-Thread?  

[template48]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Enable a disabled user account"

ObjectTypes = user

[template48.user]
userAccountControl=WP


 
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 22668157
The delegation you are describing grants write permissions to the userAccountControl attribute, which will allow the ability to modify all of the following account features: http://support.microsoft.com/kb/305144

AdminSDHolder is an all-or-nothing proposition. If a user is a member of a protected group, any delegations that you manually specify will be removed. If a user is not a member of a protected group, AdminSDHolder offers them no protections whatsoever.
0
 
LVL 1

Author Closing Comment

by:pyrokin
ID: 31503843
Thanks again.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question