Solved

active directory delegation problem

Posted on 2008-10-07
12
532 Views
Last Modified: 2010-05-18
I have created a non-admin user and enabled "Account is trusted for delegation". Then I create a OU to which I assign delegation rights to that non-admin user. I unchecked policy inheritance, and proceed to create a domain admin account in the aforementioned OU. When the non-admin user attempt to exercise it's delegated rights all is well and the admin is being managed. About 1 day later, apparently after replication to other domain controllers, the right seems to be gone and the non-admin can no longer manage the admin, however if I create a new admin in the OU, I can manage it(for about 24 hours)...... Does anyone have some suggestions on how to get to the bottom of this? Thanks in advance for the help.
0
Comment
Question by:pyrokin
  • 6
  • 6
12 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22660495
[1] You do not need to enable the "Account is trusted for delegation" option - this refers to Kerberos delegation, which is a different concept than delegation of authority.

[2] The behavior you are describing is by design, and cannot be overcome. See the following for a description of the issue: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665033
LauraEHunterMVP,

Thanks for the response. In the link providing the description, it points to http://support.microsoft.com/kb/817433. Does this mean there is a workaround?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22665045
If you read the link involved, you will see that there are multiple potential workarounds.
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665426
I'm a little confused. You said "The behavior you are describing is by design, and cannot be overcome".  Do you know if any of these would work in my scenario? Would it be possible for you to elaborate on Method 2, as this is a little over my head.  Thanks again for your time.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22665446
Method 2 involves modifying the default security descriptor for all protected groups managed by adminSDHolder. This is not a best practice and is not recommended by most in the AD profession. Allowing a non-DA to manage the account of a DA is an inherent security risk, and should not be permitted despite the fact that you "can" do so using the workaround listed in the KB article.
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665492
Thank you for the clarification. Currently, I have a non-admin user, hosting a windows service(WCF), listening for connections from users to enable and disable the admin account in the OU . I used the delegation wizard to allow that user to enable and disable the admin account. I did this by adding the following delegwiz.ini

[template48]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Enable a disabled user account"

ObjectTypes = user

[template48.user]
userAccountControl=WP


  Do you think this delegation will allow some unintended privileges to gain access to the admin account? Does the delegation wizard have flaws that get corrected by the hourly AdminSdHolder-Thread?  
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22665515
If the "admin account in the OU" is a member of one of the protected groups that is covered by AdminSDHolder, any delegated permissions on this account will be reset automatically, regardless of any delegations that you have manually established. The only recommended workaround is to configure the admin account itself with delegated permissions such that it is not a member of a protected group.
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665535
You lost me..Could you provide an example "The only recommended workaround is to configure the admin account itself with delegated permissions such that it is not a member of a protected group."
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22665564
Configure the "admin account for the OU" (since this is your terminology, I cannnot comment on the specifics of how this account is or is noty configured) with only the specific permissions that it requires. Do not make the account in question a mrember of any protected group.
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665624
LauraEHunterMVP,

   Thanks again for all your input. My final 2 questions are :

Do you think this delegation will allow some unintended privileges to gain access to the admin account which was added to the OU i created? and if so does the delegation wizard have flaws that get corrected by the hourly AdminSdHolder-Thread?  

[template48]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Enable a disabled user account"

ObjectTypes = user

[template48.user]
userAccountControl=WP


 
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 22668157
The delegation you are describing grants write permissions to the userAccountControl attribute, which will allow the ability to modify all of the following account features: http://support.microsoft.com/kb/305144

AdminSDHolder is an all-or-nothing proposition. If a user is a member of a protected group, any delegations that you manually specify will be removed. If a user is not a member of a protected group, AdminSDHolder offers them no protections whatsoever.
0
 
LVL 1

Author Closing Comment

by:pyrokin
ID: 31503843
Thanks again.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now