?
Solved

Windows Admin pack - AD DS

Posted on 2009-04-08
3
Medium Priority
?
467 Views
Last Modified: 2013-12-04
If any users in our domain installs Windows Admin Pack on their XP machine they are able to manage\access all Active directory domain services (ADUC, AD sites and services, CA....etc).  Users are not members of any elevated domain groups, in fact I created a test user who was only a member of domain users and it was able to access all AD DS.  Checked the domain users group which has not got any elevated permissions.  
Luckily I am the only one who knows about this at the moment so I am eager to secure AD DS before anyone else finds out.
0
Comment
Question by:redfoxsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 500 total points
ID: 24094654
AD is "read" by design for all authenticated users so they will be able to "lurk" with snap-ins from the admin pack.

You can make a GPO and link it to the OU where your users is located that will deny snap-ins:

User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted\Permitted snap-ins\Group Policy


SG
0
 
LVL 4

Assisted Solution

by:rentonc
rentonc earned 500 total points
ID: 24094687
It could be group membership....
You could make a list of the groups that the user is a member of then look at the properties of each group to see what each group is a member of. it may be the domain users group is a memebr of a group which is in the domain admins group which is not apparent.

It might be a policy or delegate control issue -
you could open ADUC and right click on the top level domain and choose all tasks and resultant set of policy option, if you go through the defaults and seelct a username then it will show you what the group policies are that are defined (you can do this on each ou but Im assuming becasue they have full domain admin rights the policy would be set at the top level)
the view is similar to that of the gpedit.msc plugin - loo in the computer donfig\windows settings\security settings .....
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question