Solved

Windows Admin pack - AD DS

Posted on 2009-04-08
3
459 Views
Last Modified: 2013-12-04
If any users in our domain installs Windows Admin Pack on their XP machine they are able to manage\access all Active directory domain services (ADUC, AD sites and services, CA....etc).  Users are not members of any elevated domain groups, in fact I created a test user who was only a member of domain users and it was able to access all AD DS.  Checked the domain users group which has not got any elevated permissions.  
Luckily I am the only one who knows about this at the moment so I am eager to secure AD DS before anyone else finds out.
0
Comment
Question by:redfoxsupport
3 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 125 total points
ID: 24094654
AD is "read" by design for all authenticated users so they will be able to "lurk" with snap-ins from the admin pack.

You can make a GPO and link it to the OU where your users is located that will deny snap-ins:

User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted\Permitted snap-ins\Group Policy


SG
0
 
LVL 4

Assisted Solution

by:rentonc
rentonc earned 125 total points
ID: 24094687
It could be group membership....
You could make a list of the groups that the user is a member of then look at the properties of each group to see what each group is a member of. it may be the domain users group is a memebr of a group which is in the domain admins group which is not apparent.

It might be a policy or delegate control issue -
you could open ADUC and right click on the top level domain and choose all tasks and resultant set of policy option, if you go through the defaults and seelct a username then it will show you what the group policies are that are defined (you can do this on each ou but Im assuming becasue they have full domain admin rights the policy would be set at the top level)
the view is similar to that of the gpedit.msc plugin - loo in the computer donfig\windows settings\security settings .....
0

Join & Write a Comment

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now