Solved

Windows Admin pack - AD DS

Posted on 2009-04-08
3
466 Views
Last Modified: 2013-12-04
If any users in our domain installs Windows Admin Pack on their XP machine they are able to manage\access all Active directory domain services (ADUC, AD sites and services, CA....etc).  Users are not members of any elevated domain groups, in fact I created a test user who was only a member of domain users and it was able to access all AD DS.  Checked the domain users group which has not got any elevated permissions.  
Luckily I am the only one who knows about this at the moment so I am eager to secure AD DS before anyone else finds out.
0
Comment
Question by:redfoxsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 125 total points
ID: 24094654
AD is "read" by design for all authenticated users so they will be able to "lurk" with snap-ins from the admin pack.

You can make a GPO and link it to the OU where your users is located that will deny snap-ins:

User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted\Permitted snap-ins\Group Policy


SG
0
 
LVL 4

Assisted Solution

by:rentonc
rentonc earned 125 total points
ID: 24094687
It could be group membership....
You could make a list of the groups that the user is a member of then look at the properties of each group to see what each group is a member of. it may be the domain users group is a memebr of a group which is in the domain admins group which is not apparent.

It might be a policy or delegate control issue -
you could open ADUC and right click on the top level domain and choose all tasks and resultant set of policy option, if you go through the defaults and seelct a username then it will show you what the group policies are that are defined (you can do this on each ou but Im assuming becasue they have full domain admin rights the policy would be set at the top level)
the view is similar to that of the gpedit.msc plugin - loo in the computer donfig\windows settings\security settings .....
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question