Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

active directory delegation problem

Posted on 2008-10-07
12
536 Views
Last Modified: 2010-05-18
I have created a non-admin user and enabled "Account is trusted for delegation". Then I create a OU to which I assign delegation rights to that non-admin user. I unchecked policy inheritance, and proceed to create a domain admin account in the aforementioned OU. When the non-admin user attempt to exercise it's delegated rights all is well and the admin is being managed. About 1 day later, apparently after replication to other domain controllers, the right seems to be gone and the non-admin can no longer manage the admin, however if I create a new admin in the OU, I can manage it(for about 24 hours)...... Does anyone have some suggestions on how to get to the bottom of this? Thanks in advance for the help.
0
Comment
Question by:pyrokin
  • 6
  • 6
12 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22660495
[1] You do not need to enable the "Account is trusted for delegation" option - this refers to Kerberos delegation, which is a different concept than delegation of authority.

[2] The behavior you are describing is by design, and cannot be overcome. See the following for a description of the issue: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665033
LauraEHunterMVP,

Thanks for the response. In the link providing the description, it points to http://support.microsoft.com/kb/817433. Does this mean there is a workaround?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22665045
If you read the link involved, you will see that there are multiple potential workarounds.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 1

Author Comment

by:pyrokin
ID: 22665426
I'm a little confused. You said "The behavior you are describing is by design, and cannot be overcome".  Do you know if any of these would work in my scenario? Would it be possible for you to elaborate on Method 2, as this is a little over my head.  Thanks again for your time.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22665446
Method 2 involves modifying the default security descriptor for all protected groups managed by adminSDHolder. This is not a best practice and is not recommended by most in the AD profession. Allowing a non-DA to manage the account of a DA is an inherent security risk, and should not be permitted despite the fact that you "can" do so using the workaround listed in the KB article.
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665492
Thank you for the clarification. Currently, I have a non-admin user, hosting a windows service(WCF), listening for connections from users to enable and disable the admin account in the OU . I used the delegation wizard to allow that user to enable and disable the admin account. I did this by adding the following delegwiz.ini

[template48]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Enable a disabled user account"

ObjectTypes = user

[template48.user]
userAccountControl=WP


  Do you think this delegation will allow some unintended privileges to gain access to the admin account? Does the delegation wizard have flaws that get corrected by the hourly AdminSdHolder-Thread?  
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22665515
If the "admin account in the OU" is a member of one of the protected groups that is covered by AdminSDHolder, any delegated permissions on this account will be reset automatically, regardless of any delegations that you have manually established. The only recommended workaround is to configure the admin account itself with delegated permissions such that it is not a member of a protected group.
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665535
You lost me..Could you provide an example "The only recommended workaround is to configure the admin account itself with delegated permissions such that it is not a member of a protected group."
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22665564
Configure the "admin account for the OU" (since this is your terminology, I cannnot comment on the specifics of how this account is or is noty configured) with only the specific permissions that it requires. Do not make the account in question a mrember of any protected group.
0
 
LVL 1

Author Comment

by:pyrokin
ID: 22665624
LauraEHunterMVP,

   Thanks again for all your input. My final 2 questions are :

Do you think this delegation will allow some unintended privileges to gain access to the admin account which was added to the OU i created? and if so does the delegation wizard have flaws that get corrected by the hourly AdminSdHolder-Thread?  

[template48]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Enable a disabled user account"

ObjectTypes = user

[template48.user]
userAccountControl=WP


 
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 22668157
The delegation you are describing grants write permissions to the userAccountControl attribute, which will allow the ability to modify all of the following account features: http://support.microsoft.com/kb/305144

AdminSDHolder is an all-or-nothing proposition. If a user is a member of a protected group, any delegations that you manually specify will be removed. If a user is not a member of a protected group, AdminSDHolder offers them no protections whatsoever.
0
 
LVL 1

Author Closing Comment

by:pyrokin
ID: 31503843
Thanks again.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question