?
Solved

Windows Admin pack - AD DS

Posted on 2009-04-08
3
Medium Priority
?
472 Views
Last Modified: 2013-12-04
If any users in our domain installs Windows Admin Pack on their XP machine they are able to manage\access all Active directory domain services (ADUC, AD sites and services, CA....etc).  Users are not members of any elevated domain groups, in fact I created a test user who was only a member of domain users and it was able to access all AD DS.  Checked the domain users group which has not got any elevated permissions.  
Luckily I am the only one who knows about this at the moment so I am eager to secure AD DS before anyone else finds out.
0
Comment
Question by:redfoxsupport
2 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 500 total points
ID: 24094654
AD is "read" by design for all authenticated users so they will be able to "lurk" with snap-ins from the admin pack.

You can make a GPO and link it to the OU where your users is located that will deny snap-ins:

User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted\Permitted snap-ins\Group Policy


SG
0
 
LVL 4

Assisted Solution

by:rentonc
rentonc earned 500 total points
ID: 24094687
It could be group membership....
You could make a list of the groups that the user is a member of then look at the properties of each group to see what each group is a member of. it may be the domain users group is a memebr of a group which is in the domain admins group which is not apparent.

It might be a policy or delegate control issue -
you could open ADUC and right click on the top level domain and choose all tasks and resultant set of policy option, if you go through the defaults and seelct a username then it will show you what the group policies are that are defined (you can do this on each ou but Im assuming becasue they have full domain admin rights the policy would be set at the top level)
the view is similar to that of the gpedit.msc plugin - loo in the computer donfig\windows settings\security settings .....
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question